TITLE: Tarantella Products User Account Enumeration Security Issue SECUNIA ADVISORY ID: SA14348 VERIFY ADVISORY: http://secunia.com/advisories/14348/ CRITICAL: Less critical IMPACT: Exposure of system information WHERE: >From remote SOFTWARE: Tarantella Enterprise 3.x http://secunia.com/product/1692/ Secure Global Desktop 3.x http://secunia.com/product/4683/ Secure Global Desktop 4.x http://secunia.com/product/4004/ DESCRIPTION: A security issue has been reported in Secure Global Desktop Enterprise Edition and Tarantella Enterprise, which can be exploited by malicious people to enumerate valid user accounts and disclose some system information. The error message returned for failed logins discloses if the user account exists and if RSA SecurID authentication is in use. Successful exploitation requires that RSA SecurID is enabled and that users share the same username. The following products are reportedly affected: * Secure Global Desktop Enterprise Edition, version 4.00 * Secure Global Desktop Enterprise Edition, version 3.42 * Tarantella Enterprise 3, version 3.40 * Tarantella Enterprise 3, version 3.30 SOLUTION: Ensure that no RSA username is mapped to more than one ENS user object. The security issue will reportedly be fixed in releases later than 4.00. PROVIDED AND/OR DISCOVERED BY: The vendor credits Eliot Mansfield. ORIGINAL ADVISORY: http://www.tarantella.com/security/bulletin-11.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------