[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F72668E054C548C8AAB3058647E6C996@localhost>
Date: Mon, 24 Sep 2012 11:57:10 +0200
From: Stefan Kanthak <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
CC: <full-disclosure@...ts.grok.org.uk>
Subject: [Full-disclosure] "Dell Data Protection | Access" for Windows
contains and installs outdated,
superfluous and vulnerable system components and 3rd party
components/drivers
Hi @ll
the current version of Dell's Data Protection | Access (DDPA) software for
Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains
and installs several outdated, superfluous and vulnerable Windows system
components as well as outdated and vulnerable 3rd party components and drivers.
<http://www.dell.com/support/drivers/uk/en/ukdhs1/DriverDetails?driverId=KPCWG>
>>From the readme.txt:
| Dell Data Protection | Access (DDP|A) is an integrated end point security
| management suite, providing for seamless data security and authentication.
| It allows you to authenticate using a fingerprint, smartcard, contactless
| smartcard or password. Pre-Windows can be configured to unlock self-encrypting
| drives upon authentication.
The outdated, superfluous and vulnerable components (incomplete):
#1. "Microsoft MSXML Parser.msi" version 6.0 from 2005-09-09
All versions of Windows supported by DDP|A include a newer version
of MSXML 6.0, the latest update/security fix cf.
<http://technet.microsoft.com/en-us/security/bulletin/ms12-043>
#2. "Microsoft Root Certificate Update October 2010\rootsupd.exe"
The current Microsoft root certificate update is from April 2012,
cf. <http://support.microsoft.com/kb/931125>
#3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe"
version 9.0.30729.17 from 2008-08-08
For the current Microsoft Visual C++ 2008 Redistributable Package
cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>
#4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys"
version 5.2.3790.2444 from 2005-05-17
The installer package for DDP|A but includes the hotfix
"WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of
this driver: 5.2.3790.4476, 2009-03-17
#5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi"
version 8.4.4.39 from 2012-02-02
Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>
#6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi"
version 5.9.4.6685 from 2010-09-15
Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>
This driver package contains parts of OpenSSL (no version specified),
it installs a textfile "OpenSSL license" from 2006-06-14!
So: add OpenSSL to the list of vulnerable components too.
#7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi"
version 5.9.4.6901 from 2010-??-??
This package contains a vulnerable MSVCRT+ 2005 runtime (version
8.0.50727.762)
Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>
This driver package contains parts of OpenSSL (no version specified),
it installs a textfile "OpenSSL license" from 2006-06-14!
So: add OpenSSL to the list of vulnerable components too.
#8. "Preboot Manager.msi" version 03.02.00.119 from 2011-12-06
by Wave Systems Corp.
This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0
from 2003-04-18).
Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>
This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13)
from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL.
So: yet another component with vulnerable OpenSSL code.
JFTR: no textfile with the "OpenSSL license" included here.
#9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi"
version 1.2.1.37 from 2011-10-08
by NTRU CryptoSystems Inc.
This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1
from 2010-03-18), cf.
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025>
... and more (I stopped counting)!
Dell Inc.: Don't you have any QA? Can't afford one?
UPEK Inc.: Don't you have any QA? Can't afford one?
Wave Corp.: Don't you have any QA? Can't afford one?
NTRU Inc.: Don't you have any QA? Can't afford one?
What about just a little bit of serious software engineering and due
diligence in your development, build and production processes?
It's a stupid idea to build security software from vulnerable components!
Stefan Kanthak
Timeline
~~~~~~~~
2012-08-24 informed vendor support
2012-09-24 no reaction/reply from vendor support, report published
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
The information transmitted in this message and its attachments (if any) is intended only for the person or entity to which it is addressed.
The message may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information, by persons or entities other than the intended recipient is prohibited.
If you have received this in error, please contact the sender and delete this e-mail and associated material from any computer.
The intended recipient of this e-mail may only use, reproduce, disclose or distribute the information contained in this e-mail and any attached files, with the permission of the sender.
This message has been scanned for viruses.
Powered by blists - more mailing lists