CVE-2008-2747

No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissions for the HKLM\SOFTWARE\Vitalwerks\DUC registry key, which allows local users to obtain obfuscated passwords and other sensitive information by reading the (1) TrayPassword, (2) Username, (3) Password, and (4) Hosts registry values.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/30714	Vendor Advisory
http://securityreason.com/securityalert/3952
http://www.securityfocus.com/archive/1/493367/100/0/threaded
http://www.securityfocus.com/bid/29758
https://exchange.xforce.ibmcloud.com/vulnerabilities/43298

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

cpe:2.3:a:no-ip:dynamic_update_client:2.2.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2008-06-18 19:41

Updated : 2024-02-04 17:33

NVD link : CVE-2008-2747

Mitre link : CVE-2008-2747

CVE.ORG link : CVE-2008-2747

JSON object : View

Products Affected

microsoft

windows

no-ip

dynamic_update_client

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2008-2747", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2008-06-18T19:41:00.000", "references": [{"url": "http://secunia.com/advisories/30714", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://securityreason.com/securityalert/3952", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/493367/100/0/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/29758", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/43298", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissions for the HKLM\\SOFTWARE\\Vitalwerks\\DUC registry key, which allows local users to obtain obfuscated passwords and other sensitive information by reading the (1) TrayPassword, (2) Username, (3) Password, and (4) Hosts registry values."}, {"lang": "es", "value": "No-IP Dynamic Update Client (DUC) 2.2.1 sobreWindows usa permisos d\u00e9biles para la clave de registro HKLM\\SOFTWARE\\Vitalwerks\\DUC, lo que permite a usuarios locales obtener contrase\u00f1as ofuscadas y otra informaci\u00f3n sensible leyendo los valores de registro (1) TrayPassword, (2) Username, (3) Password y (4) Hosts"}], "lastModified": "2018-10-11T20:42:52.087", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:no-ip:dynamic_update_client:2.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82ADAF61-8C0C-4231-BD1F-4BB54B786B38"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}