OSVDB ID: 28272

Title: OpenVMS NET$SESSION_CONTROL Module Cleartext Password Local Disclosure

Info

Disclosure

Aug 30, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

OpenVMS contains a flaw that may lead to an unauthorized password exposure. It is possible for passwords to be written to the audit log in cleartext due to an error in the 'NET$SESSION_CONTROL' module when a connection attempt with a correct password is made after a 'network breakin' event, which may lead to a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Cryptographic, Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Hewlett-Packard Development Company has released a patch to address this vulnerability.

Products

Hewlett-Packard Development Company, L.P.

OpenVMS

ALPHA V7.3-2

References

Bugtraq ID: 19783
CVE ID: 2006-4537 (see also: NVD)
Secunia Advisory ID: 21705
VUPEN Advisory: ADV-2006-3423
Vendor Specific Solution URL: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIECO03-V732.PCSI-DCX_AXPEXE
Vendor Specific Advisory URL: ftp://ftp.itrc.hp.com/openvms_patches/alpha/V7.3-2/AXP_DNVOSIECO03-V732.txt

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/28272