Cheops NG cleartext authentication
|
|
Article ID: 20162
Last updated: 27 Jan, 2009
|
|
|
|
Views: 397
|
|
Posted: 22 Jan, 2009
by: Tech Pubs S.
Updated: 27 Jan, 2009
by: Tech Pubs S.
|
|
Cheops NG cleartext authentication |
|
| This script is Copyright (C) 2005-2009 Michel Arboi |
|
|
| Family | Service detection |
| Plugin ID | 20162 |
| Bugtraq ID |
|
| CVE ID |
|
|
| Description: |
Synopsis :
The remote Cheops NG agent is affected by an information disclosure
issue.
Description :
A Cheops NG agent is running on this port. Users with a valid account
on the remote host can connect to this service and use it to map your
network, portscan machines and identify running services.
The agent is configured to allow unencrypted connections, which may
allow passwords, that are transmitted in cleartext, to be sniffed.
In addition, it is possible to brute force login/passwords on the
remote host using this agent.
Solution :
Configure Cheops to run on top of SSL or block this port from outside
communication if you want to further restrict the use of Cheops.
Risk factor :
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) |
|
