CVE-2001-1354

NetWin Authentication module (NWAuth) 2.0 and 3.0b, as implemented in SurgeFTP, DMail, and possibly other packages, uses weak password hashing, which could allow local users to decrypt passwords or use a different password that has the same hash value as the correct password.

CVSS v2.0 4.6 MEDIUM

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://online.securityfocus.com/archive/1/198293	Vendor Advisory
http://www.securityfocus.com/bid/3075	Exploit Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/6866

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netwin:dmail:2.8g:::::::*
	cpe:2.3:a:netwin:dmail:2.8h:::::::*
	cpe:2.3:a:netwin:dmail:2.8e:::::::*
	cpe:2.3:a:netwin:dmail:2.8f:::::::*
	cpe:2.3:a:netwin:dmail:2.7q:::::::*
	cpe:2.3:a:netwin:dmail:2.7r:::::::*
	cpe:2.3:a:netwin:surgeftp:2.0a:::::::*
	cpe:2.3:a:netwin:surgeftp:2.0b:::::::*
	cpe:2.3:a:netwin:dmail:2.5d:::::::*
	cpe:2.3:a:netwin:dmail:2.7:::::::*
	cpe:2.3:a:netwin:dmail:2.8i:::::::*
	cpe:2.3:a:netwin:surgeftp:1.0b:::::::*

Information

Published : 2001-07-19 21:00

Updated : 2017-12-18 18:29

NVD link : CVE-2001-1354

Mitre link : CVE-2001-1354

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

netwin

surgeftp
dmail

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://online.securityfocus.com/archive/1/198293", "name": "20010720 NetWin Authentication Module 3.0b password storage vulnerabilities / buffer overflows", "tags": ["Vendor Advisory"], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/bid/3075", "name": "3075", "tags": ["Exploit", "Vendor Advisory"], "refsource": "BID"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6866", "name": "netwin-nwauth-weak-encryption(6866)", "tags": [], "refsource": "XF"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "NetWin Authentication module (NWAuth) 2.0 and 3.0b, as implemented in SurgeFTP, DMail, and possibly other packages, uses weak password hashing, which could allow local users to decrypt passwords or use a different password that has the same hash value as the correct password."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2001-1354", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": true, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2001-07-20T04:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.8g:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.8h:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.8e:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.8f:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.7q:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.7r:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:surgeftp:2.0a:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:surgeftp:2.0b:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.5d:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:dmail:2.8i:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:netwin:surgeftp:1.0b:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2017-12-19T02:29Z"}