Executive Summary
Summary | |
---|---|
Title | NuPoint Messenger server transmits authentication credentials in plain text |
Informations | |||
---|---|---|---|
Name | VU#576996 | First vendor Publication | 2009-05-06 |
Vendor | VU-CERT | Last vendor Modification | 2009-05-06 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#576996NuPoint Messenger server transmits authentication credentials in plain textOverviewNuPoint Messenger is a unified communications product that connects to a Microsoft Exchange server. When communicating with the mail server the NuPoint Messenger server transmits Exchange usernames and passwords in cleartext.I. DescriptionThe NuPoint Messenger server can connect to a Microsoft Exchange server via the IMAP or MAPI protocols. During the authentication process, the NuPoint server will send user domain authentication credentials in cleartext to the Exchange server. Older versions of the NuPoint Messenger product may transmit the NuPoint server's root password without encryption instead of individual usernames and passwords. Administrators are encouraged review the "NuPoint communication with MS Exchange" document for more information.II. ImpactAn attacker with access to network data may be able to obtain domain (Exchange) usernames and passwords.III. SolutionThere is no solution to this issue. Administrators are encourgaed to review the below workarounds to mitigate the impact of this vulnerability.Encrypt connections between NuPoint and Exchange Servers
Restrict access The NuPoint Messenger server should not use IMAP to connect to remote Exchange servers. If IMAP is enabled, the NuPoint server should be directly connected to the same isolated network as the Exchange server that it is communicating with. Systems Affected
References
Simon Laurin of Simon Laurin Services-Conseils inc. reported this issue and provided valuable feedback. Mitel provided technical information that was used in this report. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/576996 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
54681 | NuPoint Messenger Server Cleartext Credentials Disclosure |