GLSA Bodhisattva
Joined: 25 Feb 2003 Posts: 3829 Location: Essen, Germany
|
Posted: Tue Jan 11, 2005 5:48 pm Post subject: [ GLSA 200501-21 ] HylaFAX: hfaxd unauthorized login vulnera |
|
|
Gentoo Linux Security Advisory
Title: HylaFAX: hfaxd unauthorized login vulnerability (GLSA 200501-21)
Severity: normal
Exploitable: remote
Date: January 11, 2005
Bug(s): #75941
ID: 200501-21
Synopsis
HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.
Background
HylaFAX is a software package for sending and receiving facsimile messages.
Affected Packages
Package: net-misc/hylafax
Vulnerable: < 4.2.0-r2
Unaffected: >= 4.2.0-r2
Architectures: All supported architectures
Description
The code used by hfaxd to match a given username and hostname with an entry in the hosts.hfaxd file is insufficiently protected against malicious entries.
Impact
If the HylaFAX installation uses a weak hosts.hfaxd file, a remote attacker could authenticate using a malicious username or hostname and bypass the intended access restrictions.
Workaround
As a workaround, administrators may consider adding passwords to all entries in the hosts.hfaxd file.
Resolution
All HylaFAX users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/hylafax-4.2.0-r2" | Note: Due to heightened security, weak entries in the hosts.hfaxd file may no longer work. Please see the HylaFAX documentation for details of accepted syntax in the hosts.hfaxd file.
References
CAN-2004-1182
HylaFAX Announcement
Last edited by GLSA on Sun May 07, 2006 4:54 pm; edited 1 time in total |
|