Vigil@nce: Samhain, bypassing the authentication
March 2009 by Vigil@nce
An attacker can bypass the SRP authentication of Samhain in order
to obtain sensitive information.
– Gravity: 2/4
– Consequences: privileged access/rights, data reading
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 05/03/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Samhain program is a HIDS. It can be configured to send its
information to a yule server. The authentication between the
client and the server uses the SRP (Secure Remote Password)
protocol.
The SRP protocol is based on a modular exponentiation. Some values
(A, B and u) of the formula must not be zero, otherwise the
formula is simplified and the password is always validated.
However, Samhain does not check if these values are null. An
attacker can therefore authenticate on yule without knowing the
password.
An attacker can therefore obtain sensitive information stored on
yule.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-8510
– Url: http://vigilance.fr/vulnerability/Samhain-bypassing-the-authentication-8510