lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 2 Aug 2004 15:40:04 -0400
From: "Jody McCluggage" <jody@...landmhrb.org>
To: <bugtraq@...urityfocus.com>
Subject: RE: Sonicwall diag tool includes VPN credentlials


Hello,

Yes, I have also ran into this several times with the SonicWall tech
support.  They ALWAYS ask me to send the TSR, with all the options checked,
via regular email.  I did not realize just how sensitive these were until I
actually read one.  I immediately changed my shared secret password and had
all my VPN clients updated after that.  I refuse to send these reports via
email now, but they still always ask.  I now attach them to my https
mysonicwall page.  I am just amazed how supposed "security professionals "
always advocate sending this report via email.

Jody

-----Original Message-----
From: Stephan Sachweh [mailto:Stephan.Sachweh@...las.com]
Sent: Monday, August 02, 2004 3:54 AM
To: bugtraq@...urityfocus.com
Cc: Milton Lopez
Subject: RE: Sonicwall diag tool includes VPN credentlials


Milton Lopez <mlopez@...tc.org> wrote on 30.07.2004 23:46:07:

> Our Sonicwall Pro 300 firewall appliance includes a diagnostic tool
> called "Tech Support Report", which dumps the current configuration
> info to a plain text file. I have been asked by Sonicwall personnel
> to email this file as an attachment during several tech. support
> calls, without any additional warning or explanation.

Before downloading there is a Warning "You are about to export sensitive
information in plaintext format. Continue?". So the firmware tells you,
what you are doing.

> One of the
> items included in the report is a plain-text copy of the Shared
> Secret used for authenticating VPN users. Unless everything I've
> read about protecting this kind of information is suddenly not true,
> sending unprotected shared secrets to anyone via email is very bad
> idea.

The shared secret is not included in the standard report. You have to tag
"VPN Keys" before generating the report.
But sure, the Tech Support Report includes other sensitive information (IP
networks connected, routing tables, mail addresses etc).

I would not send this report by plain mail. Normally the TechSupport
Report should be added to a https protected customer portal site at
sonicwall. I had never been asked by sonicwall tech support to send a
report by mail.

Freundliche Grüße

Stephan Sachweh
Technischer Leiter, Prokurist
--------------------------------------------------------------------
//// pallas
Pallas GmbH / Hermülheimer Str. 10 / 50321 Brühl
Stephan.Sachweh@...las.com / www.pallas.com
Tel 02232-1896-62 / Fax 02232-1896-29 / Mobil 0173-5490754
--------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ