Details of VAR-200412-0292

ID

VAR-200412-0292

CVE

CVE-2004-2396

TITLE

Mandrake Linux passwd Unknown security vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200412-959

DESCRIPTION

passwd 0.68 does not check the return code for the pam_start function, which has unknown impact and attack vectors that may prevent "safe and proper operation" of PAM. Two potential security issues reportedly affect the implementation of passwd included with Mandrake Linux, according to Mandrake advisory MDKSA-2004:045. According to the report, passwords supplied to passwd via stdin are incorrectly one character shorter than they should be. It is not known whether this behavior occurs at the interactive prompt or if the implementation allows for passwords to be "piped" to passwd through stdin. This may or may not have security implications as the user's password will not be stored correctly and the user will not be able to login. It is conceivable that this could result in a less secure password. The second issue reported by Mandrake is that PAM may not be initialized correctly and "safe and proper" operation may not be ensured. Further technical details are not known. Mandrake Linux is an open source operating system

Trust: 1.26

sources: NVD: CVE-2004-2396 // BID: 10370 // VULHUB: VHN-10824

AFFECTED PRODUCTS

vendor:	mandrakesoft	model:	mandrake linux corporate server	scope:	eq	version:	2.1	Trust: 0.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	9.2	Trust: 0.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	9.1	Trust: 0.6
vendor:	mandrakesoft	model:	mandrake multi network firewall	scope:	eq	version:	8.2	Trust: 0.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	10.0	Trust: 0.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	9.0	Trust: 0.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	8.2	Trust: 0.6
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	10.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake amd64	scope:	eq	version:	9.2	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	9.2	Trust: 0.3
vendor:	mandriva	model:	linux mandrake ppc	scope:	eq	version:	9.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	9.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	9.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake ppc	scope:	eq	version:	8.2	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	8.2	Trust: 0.3
vendor:	mandrakesoft	model:	multi network firewall	scope:	eq	version:	2.0	Trust: 0.3
vendor:	mandrakesoft	model:	corporate server x86 64	scope:	eq	version:	2.1	Trust: 0.3
vendor:	mandrakesoft	model:	corporate server	scope:	eq	version:	2.1	Trust: 0.3

sources: BID: 10370 // CNNVD: CNNVD-200412-959

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2004-2396
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-200412-959
value:	HIGH
Trust: 0.6
VULHUB:	VHN-10824
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2004-2396
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-10824
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-10824 // CNNVD: CNNVD-200412-959 // NVD: CVE-2004-2396

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-2396

THREAT TYPE

local

Trust: 0.9

sources: BID: 10370 // CNNVD: CNNVD-200412-959

TYPE

Unknown

Trust: 0.9

sources: BID: 10370 // CNNVD: CNNVD-200412-959

EXTERNAL IDS

db:	BID	id:	10370	Trust: 2.0
db:	NVD	id:	CVE-2004-2396	Trust: 1.7
db:	CNNVD	id:	CNNVD-200412-959	Trust: 0.7
db:	MANDRAKE	id:	MDKSA-2004:045	Trust: 0.6
db:	NSFOCUS	id:	6467	Trust: 0.6
db:	XF	id:	16179	Trust: 0.6
db:	VULHUB	id:	VHN-10824	Trust: 0.1

sources: VULHUB: VHN-10824 // BID: 10370 // CNNVD: CNNVD-200412-959 // NVD: CVE-2004-2396

REFERENCES

url:	http://www.securityfocus.com/bid/10370	Trust: 1.7
url:	http://www.mandriva.com/security/advisories?name=mdksa-2004:045	Trust: 1.7
url:	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/16179	Trust: 1.1
url:	http://xforce.iss.net/xforce/xfdb/16179	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/6467	Trust: 0.6

sources: VULHUB: VHN-10824 // CNNVD: CNNVD-200412-959 // NVD: CVE-2004-2396

CREDITS

Steve Grubb※ linux_4ever@yahoo.com

Trust: 0.6

sources: CNNVD: CNNVD-200412-959

SOURCES

db:	VULHUB	id:	VHN-10824
db:	BID	id:	10370
db:	CNNVD	id:	CNNVD-200412-959
db:	NVD	id:	CVE-2004-2396

LAST UPDATE DATE

2024-08-14T15:20:13.282000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-10824	date:	2017-07-11T00:00:00
db:	BID	id:	10370	date:	2004-05-17T00:00:00
db:	CNNVD	id:	CNNVD-200412-959	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2004-2396	date:	2017-07-11T01:31:51.717

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-10824	date:	2004-12-31T00:00:00
db:	BID	id:	10370	date:	2004-05-17T00:00:00
db:	CNNVD	id:	CNNVD-200412-959	date:	2004-05-17T00:00:00
db:	NVD	id:	CVE-2004-2396	date:	2004-12-31T05:00:00