CVE-2002-0712
CVSS2.1
发布时间 :2004-02-03 00:00:00
修订时间 :2008-09-05 16:28:45
NMCOS    

[原文]Entrust Authority Security Manager (EASM) 6.0 does not properly require multiple master users to change the password of a master user, which could allow a master user to perform operations that require multiple authorizations.


[CNNVD]Entrust Authority Security Manager多个验证欺骗漏洞(CNNVD-200402-012)

        
        Entrust Authority Security Manager用于颁发、管理及废除X.509证书。负责密钥备份及恢复、更新密钥对及支持交叉认证,并为证书库支持活动目录、X.500和LDAP目录。
        Entrust Authority安全管理系统存在验证漏洞,远程攻击者可以利用这个漏洞欺骗软件的认证模型,更改主用户密码。
        Entrust Authority安全管理系统的主用户(Master user)验证机制存在缺陷,允许未授权更改主用户密码。问题是由于命令行工具不需要执行GUI应用程序所需的验证过程,因此攻击者可以使用命令行工具欺骗软件信任模型。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:entrust:entrust_authority_security_manager:5.0
cpe:/a:entrust:entrust_authority_security_manager:6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0712
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0712
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-012
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/720017
(VENDOR_ADVISORY)  CERT-VN  VU#720017
http://www.kb.cert.org/vuls/id/AAMN-5KKVXC
(UNKNOWN)  CONFIRM  http://www.kb.cert.org/vuls/id/AAMN-5KKVXC
http://xforce.iss.net/xforce/xfdb/11724
(VENDOR_ADVISORY)  XF  easm-multiple-authorization-bypass(11724)
http://www.securityfocus.com/bid/7284
(VENDOR_ADVISORY)  BID  7284

- 漏洞信息

Entrust Authority Security Manager多个验证欺骗漏洞
低危 访问验证错误
2004-02-03 00:00:00 2005-10-20 00:00:00
本地  
        
        Entrust Authority Security Manager用于颁发、管理及废除X.509证书。负责密钥备份及恢复、更新密钥对及支持交叉认证,并为证书库支持活动目录、X.500和LDAP目录。
        Entrust Authority安全管理系统存在验证漏洞,远程攻击者可以利用这个漏洞欺骗软件的认证模型,更改主用户密码。
        Entrust Authority安全管理系统的主用户(Master user)验证机制存在缺陷,允许未授权更改主用户密码。问题是由于命令行工具不需要执行GUI应用程序所需的验证过程,因此攻击者可以使用命令行工具欺骗软件信任模型。
        

- 公告与补丁

        厂商补丁:
        Entrust
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Entrust Upgrade Entrust Authority Security Manager 6.1
        
        http://www.entrust.com

- 漏洞信息

10395
Entrust Authority Security Manager Master User Arbitrary Unprivileged Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Entrust Authority Security Manager Multiple Authorization Circumvention Vulnerability
Access Validation Error 7284
No Yes
2002-07-02 12:00:00 2009-07-11 09:06:00
Discovery credited to Keith Sollers.

- 受影响的程序版本

Entrust Authority Security Manager 6.0
- Compaq Tru64 5.1
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Entrust Authority Security Manager 5.0
- Compaq Tru64 5.1
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Entrust Authority Security Manager 6.1

- 不受影响的程序版本

Entrust Authority Security Manager 6.1

- 漏洞讨论

It has been reported that the Entrust Authority Security Manager has a flaw in Master User authentication that could allow the unauthorized changing of master user passwords. Command line tools do not force the same authentication requirements as performed by the GUI application. Because of this, an attacker could use the command line tools to circumvent the trust model of the software.

- 漏洞利用

No exploit is required for this vulnerability.

- 解决方案

Entrust has released Authority Security Manager 6.1 as a mandatory upgrade to address this issue:


Entrust Authority Security Manager 5.0

Entrust Authority Security Manager 6.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站