PT-2024-28855 · No Ip · No-Ip Dynamic Update Client
Jeppojeps
·
Published
2024-09-12
·
Updated
2024-10-31
·
CVE-2024-40457
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
No-IP Dynamic Update Client (DUC) versions 3.x
Description
The No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. The vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior.
Recommendations
For No-IP Dynamic Update Client (DUC) versions 3.x, consider restricting access to the /etc/default/noip-duc file to minimize the risk of exploitation. As a temporary workaround, avoid using cleartext credentials in command lines or files until a more secure method is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
No-Ip Dynamic Update Client