PT-2008-4187 · Vitalwerks · No-Ip Dynamic Update Client

Published

2008-06-18

Updated

2018-10-11

CVE-2008-2747

CVSS v2.0

2.1

Low

Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions No-IP Dynamic Update Client (DUC) version 2.2.1

Description The issue concerns weak permissions for a specific registry key, allowing local users to access sensitive information. This includes obtaining obfuscated passwords and other data by reading the TrayPassword, Username, Password, and Hosts registry values.

Recommendations For No-IP Dynamic Update Client (DUC) version 2.2.1, consider restricting access to the HKLMSOFTWAREVitalwerksDUC registry key to prevent local users from reading sensitive information. As a temporary workaround, restrict access to the TrayPassword, Username, Password, and Hosts registry values until a patch is available.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2008-2747

Affected Products

No-Ip Dynamic Update Client

PT-2008-4187 · Vitalwerks · No-Ip Dynamic Update Client

CVE-2008-2747

Weakness Enumeration

Related Identifiers

Affected Products

References · 6