PT-2012-1227 · Freebsd+6 · Freebsd+5

Joseph Bonneau

Published

2012-06-25

Updated

2024-06-15

CVE-2012-2143

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions FreeBSD versions prior to 9.0-RELEASE-p2

Description The issue is related to the crypt des function, which does not process the complete cleartext password if it contains a 0x80 character. This makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password. The problem is demonstrated by a Unicode password and affects products that use this function, such as PHP and PostgreSQL.

Recommendations For FreeBSD versions prior to 9.0-RELEASE-p2, update to version 9.0-RELEASE-p2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of passwords containing the 0x80 character until a patch is available. Restrict access to authentication mechanisms that rely on the crypt des function to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

BDU:2022-02629

CESA-2012_1037

CESA-2012_1046

CVE-2012-2143

DSA-2491-1

OPENSUSE-SU-2024:10030-1

OPENSUSE-SU-2024:10256-1

OPENSUSE-SU-2024:10273-1

RHSA-2012:1036

RHSA-2012:1037

RHSA-2012:1046

RHSA-2012:1047

RHSA-2012_1036

RHSA-2012_1037

RHSA-2012_1046

RHSA-2012_1047

SUSE-SU-2012_0840-1

SUSE-SU-2012_1021-1

Affected Products

Centos

Freebsd

Php

Postgresql

Red Hat

Suse

PT-2012-1227 · Freebsd+6 · Freebsd+5

CVE-2012-2143

Weakness Enumeration

Related Identifiers

Affected Products

References · 163