Tarantella Enterprise information disclosure

tarantella-enterprise-obtain-information (19407) The risk level is classified as MediumMedium Risk

Description:

Tarantella Enterprise could allow a remote attacker to determine whether a valid username currently exists and the authentication that is being used. If multiple users are sharing a single username using the RSA SecurID, a remote attacker could trigger a failed login attempt to cause the system to display an error message, allowing the attacker to determine whether a valid username currently exists on the system and the method of authentication that is being used.

Platforms Affected:

  • Sun, Secure Global Desktop 3.42
  • Sun, Secure Global Desktop 4.0 Enterprise
  • Tarantella, Tarantella Enterprise 3.30
  • Tarantella, Tarantella Enterprise 3.40

Remedy:

No remedy available as of July 4, 2009.

Consequences:

Gain Access

References:

  • Secure Global Desktop Enterprise Edition Web page, Secure Global Desktop Enterprise Edition at http://www.tarantella.com/products/ee/.
  • Tarantella Enterprise Web page, Tarantella Enterprise 3 at http://www.tarantella.com/products/e3/.
  • BID-12591: Tarantella Enterprise/Secure Global Desktop Remote Information Disclosure Vulnerability
  • CVE-2005-0486: Tarantella Secure Global Desktop Enterprise Edition 4.00 and 3.42, and Tarantella Enterprise 3 3.40 and 3.30, when using RSA SecurID and multiple users have the same username, reveals sensitive information during authentication, which allows remote attackers to identify valid usernames and the authentication scheme.

Reported:

Feb 18, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page