Secunia Security Advisory - A security issue has been reported in Secure Global Desktop Enterprise Edition and Tarantella Enterprise, which can be exploited by malicious people to enumerate valid user accounts and disclose some system information.
f1c7d0b03d1e48ec32d4037ea7af424971f863250939f41e2d2f5df45368e2db
TITLE:
Tarantella Products User Account Enumeration Security Issue
SECUNIA ADVISORY ID:
SA14348
VERIFY ADVISORY:
http://secunia.com/advisories/14348/
CRITICAL:
Less critical
IMPACT:
Exposure of system information
WHERE:
>From remote
SOFTWARE:
Tarantella Enterprise 3.x
http://secunia.com/product/1692/
Secure Global Desktop 3.x
http://secunia.com/product/4683/
Secure Global Desktop 4.x
http://secunia.com/product/4004/
DESCRIPTION:
A security issue has been reported in Secure Global Desktop
Enterprise Edition and Tarantella Enterprise, which can be exploited
by malicious people to enumerate valid user accounts and disclose
some system information.
The error message returned for failed logins discloses if the user
account exists and if RSA SecurID authentication is in use.
Successful exploitation requires that RSA SecurID is enabled and that
users share the same username.
The following products are reportedly affected:
* Secure Global Desktop Enterprise Edition, version 4.00
* Secure Global Desktop Enterprise Edition, version 3.42
* Tarantella Enterprise 3, version 3.40
* Tarantella Enterprise 3, version 3.30
SOLUTION:
Ensure that no RSA username is mapped to more than one ENS user
object.
The security issue will reportedly be fixed in releases later than
4.00.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Eliot Mansfield.
ORIGINAL ADVISORY:
http://www.tarantella.com/security/bulletin-11.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------