CVE - CVE-2002-0669

CVE-ID
CVE-2002-0669	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The web interface for Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 allows administrators to cause a denial of service by modifying the SIP_AUTHENTICATE_SCHEME value to force authentication of incoming calls, which does not notify the user when an authentication failure occurs.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
ATSTAKE:A071202-1 URL:~~http://www.atstake.com/research/advisories/2002/a071202-1.txt~~ (Obsolete source - check if archived by the Wayback Machine) XF:pingtel-xpressa-web-dos(9564) URL:~~http://www.iss.net/security_center/static/9564.php~~ (Obsolete source - check if archived by the Wayback Machine)
Assigning CNA
MITRE Corporation
Date Record Created
20020709	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20030317)
Votes (Legacy)
ACCEPT(1) Cole NOOP(2) Cox, Wall REJECT(1) Baker
Comments (Legacy)
Baker> I don't believe that a configuration option by the administrator is a vulnerability. The fact that the administrator can require authentication of users attempting to use the service, without notifying users that are NOT using authentication is not a vulnerability. For example, I could configure sshd to allow only certain hosts to connect, by means of a key, and if someone else tried to connect that is not authorized, it would disallow it. Similarly, the administrator could require authentication and only notify those users allowed to connect of the necessary authentication credentials to preclude un-authorized use of the system. The only way I would see this as a vulnerability was if the change was able to be made without the proper credentials through some fault in the program, or if there was no way to enable authentication on any client trying to connect which would render the system unusable to everyone (but that would still not really be a vulnerability as much as a "stupid feature") The ability to make this change afer gaining administrator priveleges by means of another vulnerability does not make this a vulnerability. I would classify this as a configuration setting that can severly restrict access, at the discretion of the administrator.
Proposed (Legacy)
20030317
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)