PT-2012-1227 · Freebsd+6 · Freebsd+5

Joseph Bonneau

Publicado

2012-06-25

Atualizado

2024-06-15

CVE-2012-2143

CVSS v2.0

4.3

Média

Vetor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions FreeBSD versions prior to 9.0-RELEASE-p2

Description The issue is related to the crypt des function, which does not process the complete cleartext password if it contains a 0x80 character. This makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password. The problem is demonstrated by a Unicode password and affects products that use this function, such as PHP and PostgreSQL.

Recommendations For FreeBSD versions prior to 9.0-RELEASE-p2, update to version 9.0-RELEASE-p2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of passwords containing the 0x80 character until a patch is available. Restrict access to authentication mechanisms that rely on the crypt des function to minimize the risk of exploitation.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-310

Identificadores relacionados

BDU:2022-02629

CESA-2012_1037

CESA-2012_1046

CVE-2012-2143

DSA-2491-1

OPENSUSE-SU-2024:10030-1

OPENSUSE-SU-2024:10256-1

OPENSUSE-SU-2024:10273-1

RHSA-2012:1036

RHSA-2012:1037

RHSA-2012:1046

RHSA-2012:1047

RHSA-2012_1036

RHSA-2012_1037

RHSA-2012_1046

RHSA-2012_1047

SUSE-SU-2012_0840-1

SUSE-SU-2012_1021-1

Produtos afetados

Centos

Freebsd

Php

Postgresql

Red Hat

Suse

PT-2012-1227 · Freebsd+6 · Freebsd+5

CVE-2012-2143

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 163