hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password.

A flaw in HylaFAX may allow an attacker to bypass normal authentication by spoofing their DNS PTR records.

The remote host is affected by the vulnerability described in GLSA-200501-21 (HylaFAX: hfaxd unauthorized login vulnerability)

    The code used by hfaxd to match a given username and hostname with     an entry in the hosts.hfaxd file is insufficiently protected against     malicious entries.
  Impact :

    If the HylaFAX installation uses a weak hosts.hfaxd file, a remote     attacker could authenticate using a malicious username or hostname and     bypass the intended access restrictions.
  Workaround :

    As a workaround, administrators may consider adding passwords to     all entries in the hosts.hfaxd file.

Patrice Fournier discovered a vulnerability in the authorization sub-system of hylafax. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorized access to the fax system.

The updated packages are provided to prevent this issue. Note that the packages included with Corporate Server 2.1 do not require this fix.

Patrice Fournier discovered a vulnerability in the authorisation subsystem of hylafax, a flexible client/server fax system. A local or remote user guessing the contents of the hosts.hfaxd database could gain unauthorised access to the fax system.

Some installations of hylafax may actually utilise the weak hostname and username validation for authorized uses. For example, hosts.hfaxd entries that may be common are

  192.168.0 username:uid:pass:adminpass user@host

After updating, these entries will need to be modified in order to continue to function. Respectively, the correct entries should be

  192.168.0.[0-9]+ username@:uid:pass:adminpass user@host

Unless such matching of 'username' with 'otherusername' and 'host' with 'hostname' is desired, the proper form of these entries should include the delimiter and markers like this

  @192.168.0.[0-9]+$ ^username@:uid:pass:adminpass ^user@host$

The remote host is running HylaFAX, a fax transmission software.

It is reported that HylaFAX is prone to an access control bypass vulnerability. An attacker, exploiting this flaw, may be able to gain unauthorized access to the service.

ID	Name	Product	Family	Severity
19027	FreeBSD : hylafax -- unauthorized login vulnerability (8eabaad9-641f-11d9-92a7-000a95bc6fae)	Nessus	FreeBSD Local Security Checks	high
16412	GLSA-200501-21 : HylaFAX: hfaxd unauthorized login vulnerability	Nessus	Gentoo Local Security Checks	high
16157	Mandrake Linux Security Advisory : hylafax (MDKSA-2005:006)	Nessus	Mandriva Local Security Checks	high
16131	Debian DSA-634-1 : hylafax - weak hostname and username validation	Nessus	Debian Local Security Checks	high
16126	HylaFAX Remote Access Control Bypass	Nessus	Misc.	high

Detections

Analytics

CVE-2004-1182

critical

Tenable Plugins

high

high

high

high

high