Vulnerabilities > CVE-2004-1342 - Unspecified vulnerability in CVS

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cvs
nessus

Summary

CVS 1.12 and earlier on Debian GNU/Linux, when using the repouid patch, allows remote attackers to bypass authentication via the pserver access method.

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-715.NASL
descriptionSeveral problems have been discovered in the CVS server, which serves the popular Concurrent Versions System. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-1342 Maks Polunin and Alberto Garcia discovered independently that using the pserver access method in connection with the repouid patch that Debian uses it is possible to bypass the password and gain access to the repository in question. - CAN-2004-1343 Alberto Garcia discovered that a remote user can cause the cvs server to crash when the cvs-repouids file exists but does not contain a mapping for the current repository, which can be used as a denial of service attack.
last seen2020-06-01
modified2020-06-02
plugin id18151
published2005-04-28
reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18151
titleDebian DSA-715-1 : cvs - several vulnerabilities
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-715. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(18151);
  script_version("1.25");
  script_cvs_date("Date: 2019/08/02 13:32:18");

  script_cve_id("CVE-2004-1342", "CVE-2004-1343");
  script_xref(name:"CERT", value:"327037");
  script_xref(name:"DSA", value:"715");

  script_name(english:"Debian DSA-715-1 : cvs - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several problems have been discovered in the CVS server, which serves
the popular Concurrent Versions System. The Common Vulnerabilities and
Exposures project identifies the following problems :

  - CAN-2004-1342
    Maks Polunin and Alberto Garcia discovered independently
    that using the pserver access method in connection with
    the repouid patch that Debian uses it is possible to
    bypass the password and gain access to the repository in
    question.

  - CAN-2004-1343

    Alberto Garcia discovered that a remote user can cause
    the cvs server to crash when the cvs-repouids file
    exists but does not contain a mapping for the current
    repository, which can be used as a denial of service
    attack."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=260200"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2005/dsa-715"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the cvs package.

For the stable distribution (woody) these problems have been fixed in
version 1.11.1p1debian-10."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cvs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/04/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/28");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/27");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"cvs", reference:"1.11.1p1debian-10")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");