VAR-200306-0002
Vulnerability from variot - Updated: 2023-12-18 13:58The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections. The Apple AirPort device is a wireless access point that provides 802.11 services to network clients. This device can be managed via TCP 5009 port through the management protocol.
The password encryption mechanism used in the management and verification process of Apple AirPort devices is too simple. Remote attackers can use this vulnerability to sniff the network and obtain password information.
AirPort devices use authentication passwords with a maximum length of 32 characters and perform XOR operations on predefined keys. When the password is transmitted to the network, the password is fixed to 32 bytes and sent. @stake used a single character as the password for the experiment. By observing the exchange of network packets, he found a 31-byte key for XOR operation. The last byte of the cipher text is the first word that has been encrypted The first byte of the ciphertext and plaintext password is XORed.
If AirPort can connect via the Ethernet interface or through an insecure wireless connection (without WEP), anonymous attackers can sniff the network to gain administrator access to the device. The problem lies in the administrative password being encoded using a simple XOR key. An attacker capable of intercepting authentication-based network traffic may trivially reverse the cipher, resulting in administrative access to the device
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200306-0002",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "802.11n",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "7.3.1"
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "none",
"version": null
},
{
"model": "airport base station",
"scope": null,
"trust": 0.3,
"vendor": "apple",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"db": "BID",
"id": "7554"
},
{
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:apple:802.11n:7.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0270"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jeremy Rauch\u203b jrauch@atstake.com\u203bDave G\u203b daveg@atstake.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
],
"trust": 0.6
},
"cve": "CVE-2003-0270",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "VHN-7099",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:H/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2003-0270",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200306-074",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-7099",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-7099"
},
{
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections. The Apple AirPort device is a wireless access point that provides 802.11 services to network clients. This device can be managed via TCP 5009 port through the management protocol. \n\n\u00a0The password encryption mechanism used in the management and verification process of Apple AirPort devices is too simple. Remote attackers can use this vulnerability to sniff the network and obtain password information. \n\n\u00a0AirPort devices use authentication passwords with a maximum length of 32 characters and perform XOR operations on predefined keys. When the password is transmitted to the network, the password is fixed to 32 bytes and sent. @stake used a single character as the password for the experiment. By observing the exchange of network packets, he found a 31-byte key for XOR operation. The last byte of the cipher text is the first word that has been encrypted The first byte of the ciphertext and plaintext password is XORed. \n\n\u00a0If AirPort can connect via the Ethernet interface or through an insecure wireless connection (without WEP), anonymous attackers can sniff the network to gain administrator access to the device. The problem lies in the administrative password being encoded using a simple XOR key. An attacker capable of intercepting authentication-based network traffic may trivially reverse the cipher, resulting in administrative access to the device",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"db": "BID",
"id": "7554"
},
{
"db": "VULHUB",
"id": "VHN-7099"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2003-0270",
"trust": 2.6
},
{
"db": "BID",
"id": "7554",
"trust": 2.0
},
{
"db": "SECTRACK",
"id": "1006742",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "8773",
"trust": 1.7
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2003-1333",
"trust": 0.6
},
{
"db": "XF",
"id": "11980",
"trust": 0.6
},
{
"db": "ATSTAKE",
"id": "A051203-1",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-7099",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"db": "VULHUB",
"id": "VHN-7099"
},
{
"db": "BID",
"id": "7554"
},
{
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"id": "VAR-200306-0002",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-7099"
}
],
"trust": 0.48026314999999997
},
"last_update_date": "2023-12-18T13:58:40.115000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0270"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.atstake.com/research/advisories/2003/a051203-1.txt"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/7554"
},
{
"trust": 1.7,
"url": "http://securitytracker.com/id?1006742"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/8773"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11980"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/11980"
},
{
"trust": 0.3,
"url": "http://www.apple.com/airport/"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-7099"
},
{
"db": "BID",
"id": "7554"
},
{
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"db": "VULHUB",
"id": "VHN-7099"
},
{
"db": "BID",
"id": "7554"
},
{
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-05-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"date": "2003-06-16T00:00:00",
"db": "VULHUB",
"id": "VHN-7099"
},
{
"date": "2003-05-12T00:00:00",
"db": "BID",
"id": "7554"
},
{
"date": "2003-06-16T04:00:00",
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"date": "2003-05-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2003-05-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"date": "2017-07-11T00:00:00",
"db": "VULHUB",
"id": "VHN-7099"
},
{
"date": "2009-07-11T22:06:00",
"db": "BID",
"id": "7554"
},
{
"date": "2017-07-11T01:29:30.277000",
"db": "NVD",
"id": "CVE-2003-0270"
},
{
"date": "2005-10-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple AirPort administrator password encryption vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2003-1333"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "7554"
},
{
"db": "CNNVD",
"id": "CNNVD-200306-074"
}
],
"trust": 0.9
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…