lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201108151549.p7FFnZbZ022527@sf01web1.securityfocus.com>
Date: Mon, 15 Aug 2011 15:49:35 GMT
From: robkraus@...tionary.com
To: bugtraq@...urityfocus.com
Subject: NetSaro Enterprise Messenger Server Plaintext Password Storage
 Vulnerability

NetSaro Enterprise Messenger Server Plaintext Password Storage Vulnerability

CVSS Risk Rating: 4.6 (Medium)

Product: NetSaro Enterprise Messenger Server

Application Vendor: SEM Software

Vendor URL: http://www.netsaro.com/

Public disclosure date: 8/15/2011

Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)

Solutionary ID: SERT-VDN-1011

Solutionary public disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/NetSaro-Enterprise-Messenger-Vuln-Password.html

Vulnerability Description: A vulnerability exists in the NetSaro Enterprise Messenger Server application allowing an attacker to obtain access to plaintext usernames and passwords. The stored passwords are used to authenticate users running the NetSaro Enterprise Client connecting to the server. This is a second level attack that requires access to the password files stored within the application root directory. An attacker who has previously compromised the host operating system or gained direct access to the NetSaro.fdb database file found in the "NetSaro Enterprise ServerDb" directory can obtain the user credentials using readily available tools. More information about this class of vulnerability can be obtained by visiting http://cwe.mitre.org/top25/index.html#CWE-311: Missing Encryption of Sensitive Data– CWE 311

Affected software versions: NetSaro Enterprise Messenger Server v2.0 (previous versions may also be vulnerable)

Impact: In cases where access to the NetSaro.fdb file is achieved an attacker can obtain username and password values and reuse them against other systems within the network or cause disruption of services.

Fixed in: None Available

Remediation guidelines: Limit access to this hosts running the software and apply security patches as they become available.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ