oss-sec mailing list archives

Re: CVE Request: iodine: authentication bypass by client

From: cve-assign () mitre org
Date: Tue, 17 Jun 2014 22:57:42 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iodine 0.7.0 has just been released, which fixes an authentication bypass
issue

https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850

The client could bypass the password check by continuing after getting error
from the server and guessing the network parameters. The server would still
accept the rest of the setup and also network traffic.

Add checks for normal and raw mode that user has authenticated before allowing
any other communication.


Use CVE-2014-4168.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJToMEDAAoJEKllVAevmvmsNwgIAKFLSxMA6JXBvw5J+JiMJOVx
W61HnD6zhcfD2/5C4mQsfZx0hnqxVQHUcbPiydWVW6oRYn/GQRrpC7JkTkEP6wSt
bQdj+5krJAjiGG6ilQbHGEypdh5bZPs1rIaB0ZthnxGvEOmhJq2jO8vg+7DDoJf/
hm5rqx/BVToMCXqBjAniCJpRvnibTfBRd4n9r2wkYks4PB3wV43bI2k/UbkS3ya4
7FXWs1pFuVilJFlVRyEV4IzYb/32SU7Xl02G/8fNshczKZ0MrNqCh2OCqplUBqpN
wxjsgejqOY+PGu2md035LQWDMpxP4YlgwwtWFPyD+EsPJ8384C53TXcyQ9N1fZM=
=1/SN
-----END PGP SIGNATURE-----

Current thread:

CVE Request: iodine: authentication bypass by client Erik Ekman (Jun 16)
- Re: CVE Request: iodine: authentication bypass by client cve-assign (Jun 17)