CVE-2002-0453
CVSS7.5
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:04
NMCOS    

[原文]The account lockout capability in Oblix NetPoint 5.2 and earlier only locks out users once for the specified lockout period, which makes it easier for remote attackers to conduct brute force password guessing by waiting until the lockout period ends, then guessing passwords without being locked out again.


[CNNVD]Oblix NetPoint帐户锁定可绕过漏洞(CNNVD-200208-218)

        
        Oblix NetPoint是一款为WEB服务提供访问控制管理的程序,设计工作于Windows和Solaris系统平台上。
        Oblix NetPoint存在设计错误,可导致使用了帐户锁定策略的功能被绕过。
        Oblix NetPoint可以配置为当一用户如果多次尝试使用非法密码登陆,此用户帐户可以被临时冻结一段时间,此时间依据配置数值,但是,在锁定时期过后,此帐户的非法登陆锁定功能将失效,此帐户可以多次登陆而不被锁定,只有帐户再次成功登陆以后才会起用此非法登陆锁定功能。所以攻击者可以通过帐户进行暴力攻击来猜测密码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0453
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0453
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-218
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4288
(VENDOR_ADVISORY)  BID  4288
http://www.iss.net/security_center/static/8461.php
(VENDOR_ADVISORY)  XF  netpoint-account-lockout-bypass(8461)
http://www.securityfocus.com/archive/1/262066
(VENDOR_ADVISORY)  BUGTRAQ  20020314 Account Lockout Vulnerability in Oblix NetPoint v5.2

- 漏洞信息

Oblix NetPoint帐户锁定可绕过漏洞
高危 设计错误
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        Oblix NetPoint是一款为WEB服务提供访问控制管理的程序,设计工作于Windows和Solaris系统平台上。
        Oblix NetPoint存在设计错误,可导致使用了帐户锁定策略的功能被绕过。
        Oblix NetPoint可以配置为当一用户如果多次尝试使用非法密码登陆,此用户帐户可以被临时冻结一段时间,此时间依据配置数值,但是,在锁定时期过后,此帐户的非法登陆锁定功能将失效,此帐户可以多次登陆而不被锁定,只有帐户再次成功登陆以后才会起用此非法登陆锁定功能。所以攻击者可以通过帐户进行暴力攻击来猜测密码。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有好的临时解决方法。
        厂商补丁:
        Oblix
        -----
        Reportedly Oblix已经发布补丁程序,请使用EMAIL和它们联系:
        Oblix Customer Support <support@oblix.com>.
        
        http://www.oblix.com/products/netpoint/index.html

- 漏洞信息

14411
Oblix NetPoint Account Lockout Weakness

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-03-14 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Oblix NetPoint Account Lock Bypass Vulnerability
Design Error 4288
Yes No
2002-03-14 12:00:00 2009-07-11 11:56:00
Reported by Bill Canning <william.canning@ey.com>.

- 受影响的程序版本

Oblix NetPoint 5.2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0

- 漏洞讨论

Oblix NetPoint is an access control management program for web services. NetPoint is designed to work on Windows and Solaris systems.

Under certain circumstances, it is possible to bypass the account lockout policy on a system using NetPoint. Successful exploitation of this issue could render this protective measure useless against brute force attempts.

- 漏洞利用

No exploit code required.

- 解决方案

Reportedly Oblix has released a patch which rectifies this issue. Contact Oblix Customer Support <support@oblix.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站