[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201108151549.p7FFnZbZ022527@sf01web1.securityfocus.com>
Date: Mon, 15 Aug 2011 15:49:35 GMT
From: robkraus@...tionary.com
To: bugtraq@...urityfocus.com
Subject: NetSaro Enterprise Messenger Server Plaintext Password Storage
Vulnerability
NetSaro Enterprise Messenger Server Plaintext Password Storage Vulnerability
CVSS Risk Rating: 4.6 (Medium)
Product: NetSaro Enterprise Messenger Server
Application Vendor: SEM Software
Vendor URL: http://www.netsaro.com/
Public disclosure date: 8/15/2011
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)
Solutionary ID: SERT-VDN-1011
Solutionary public disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/NetSaro-Enterprise-Messenger-Vuln-Password.html
Vulnerability Description: A vulnerability exists in the NetSaro Enterprise Messenger Server application allowing an attacker to obtain access to plaintext usernames and passwords. The stored passwords are used to authenticate users running the NetSaro Enterprise Client connecting to the server. This is a second level attack that requires access to the password files stored within the application root directory. An attacker who has previously compromised the host operating system or gained direct access to the NetSaro.fdb database file found in the "NetSaro Enterprise ServerDb" directory can obtain the user credentials using readily available tools. More information about this class of vulnerability can be obtained by visiting http://cwe.mitre.org/top25/index.html#CWE-311: Missing Encryption of Sensitive Data– CWE 311
Affected software versions: NetSaro Enterprise Messenger Server v2.0 (previous versions may also be vulnerable)
Impact: In cases where access to the NetSaro.fdb file is achieved an attacker can obtain username and password values and reuse them against other systems within the network or cause disruption of services.
Fixed in: None Available
Remediation guidelines: Limit access to this hosts running the software and apply security patches as they become available.
Powered by blists - more mailing lists