CVE-ID

CVE-2002-0669

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 allows administrators to cause a denial of service by modifying the SIP_AUTHENTICATE_SCHEME value to force authentication of incoming calls, which does not notify the user when an authentication failure occurs.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
20020709 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20030317)
Votes (Legacy)
ACCEPT(1) Cole
NOOP(2) Cox, Wall
REJECT(1) Baker
Comments (Legacy)
 Baker> I don't believe that a configuration option by the administrator is a
   vulnerability.  The fact that the administrator can require authentication
   of users attempting to use the service, without notifying users that
   are NOT using authentication is not a vulnerability.  For example, I
   could configure sshd to allow only certain hosts to connect, by means of
   a key, and if someone else tried to connect that is not authorized, it
   would disallow it.  Similarly, the administrator could require authentication
   and only notify those users allowed to connect of the necessary authentication
   credentials to preclude un-authorized use of the system.  The only way I would
   see this as a vulnerability was if the change was able to be made without
   the proper credentials through some fault in the program, or if there was no way to enable authentication on
   any client trying to connect which would render the system unusable to everyone
   (but that would still not really be a vulnerability as much as a "stupid
   feature")
   The ability to make this change afer gaining administrator priveleges by means
   of another vulnerability does not make this a vulnerability.  I would classify
   this as a configuration setting that can severly restrict access, at the discretion
   of the administrator.

Proposed (Legacy)
20030317
This is an entry on the CVE list, which standardizes names for security problems.