CVE-2008-2747

No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissions for the HKLM\SOFTWARE\Vitalwerks\DUC registry key, which allows local users to obtain obfuscated passwords and other sensitive information by reading the (1) TrayPassword, (2) Username, (3) Password, and (4) Hosts registry values.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/29758
http://secunia.com/advisories/30714	Vendor Advisory
http://securityreason.com/securityalert/3952
https://exchange.xforce.ibmcloud.com/vulnerabilities/43298
http://www.securityfocus.com/archive/1/493367/100/0/threaded

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

cpe:2.3:a:no-ip:dynamic_update_client:2.2.1:*:*:*:*:*:*:*

Information

Published : 2008-06-18 12:41

Updated : 2018-10-11 13:42

NVD link : CVE-2008-2747

Mitre link : CVE-2008-2747

JSON object : View

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Products Affected

no-ip

dynamic_update_client

microsoft

windows

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/29758", "name": "29758", "tags": [], "refsource": "BID"}, {"url": "http://secunia.com/advisories/30714", "name": "30714", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://securityreason.com/securityalert/3952", "name": "3952", "tags": [], "refsource": "SREASON"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43298", "name": "noipduc-duc-info-disclosure(43298)", "tags": [], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/493367/100/0/threaded", "name": "20080616 DUC NO-IP Local Password Information Disclosure Vulnerability", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissions for the HKLM\\SOFTWARE\\Vitalwerks\\DUC registry key, which allows local users to obtain obfuscated passwords and other sensitive information by reading the (1) TrayPassword, (2) Username, (3) Password, and (4) Hosts registry values."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2008-2747", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2008-06-18T19:41Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:no-ip:dynamic_update_client:2.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-11T20:42Z"}

2.1 /10