lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F72668E054C548C8AAB3058647E6C996@localhost>
Date: Mon, 24 Sep 2012 11:57:10 +0200
From: Stefan Kanthak <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
CC: <full-disclosure@...ts.grok.org.uk>
Subject: [Full-disclosure] "Dell Data Protection | Access" for Windows
	contains and installs outdated,
	superfluous and vulnerable system components and 3rd party
	components/drivers

Hi @ll

the current version of Dell's Data Protection | Access (DDPA) software for
Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains
and installs several outdated, superfluous and vulnerable Windows system
components as well as outdated and vulnerable 3rd party components and drivers.

<http://www.dell.com/support/drivers/uk/en/ukdhs1/DriverDetails?driverId=KPCWG>

>>From the readme.txt:

| Dell Data Protection | Access (DDP|A) is an integrated end point security
| management suite, providing for seamless data security and authentication.
| It allows you to authenticate using a fingerprint, smartcard, contactless
| smartcard or password. Pre-Windows can be configured to unlock self-encrypting
| drives upon authentication.


The outdated, superfluous and vulnerable components (incomplete):

#1. "Microsoft MSXML Parser.msi"    version 6.0 from 2005-09-09

     All versions of Windows supported by DDP|A include a newer version
     of MSXML 6.0, the latest update/security fix cf.
     <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>


#2. "Microsoft Root Certificate Update October 2010\rootsupd.exe"

    The current Microsoft root certificate update is from April 2012,
    cf. <http://support.microsoft.com/kb/931125>


#3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe"
                                     version 9.0.30729.17 from 2008-08-08

    For the current Microsoft Visual C++ 2008 Redistributable Package
    cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>


#4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys"
                                     version 5.2.3790.2444 from 2005-05-17

    The installer package for DDP|A but includes the hotfix
    "WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of
    this driver: 5.2.3790.4476, 2009-03-17


#5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi"
                                     version 8.4.4.39 from 2012-02-02

    Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>


#6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi"
                                     version 5.9.4.6685 from 2010-09-15

    Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>

    This driver package contains parts of OpenSSL (no version specified),
    it installs a textfile "OpenSSL license" from 2006-06-14!
    So: add OpenSSL to the list of vulnerable components too.


#7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi"
                                      version 5.9.4.6901 from 2010-??-??

    This package contains a vulnerable MSVCRT+ 2005 runtime (version
    8.0.50727.762)

    Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>

    This driver package contains parts of OpenSSL (no version specified),
    it installs a textfile "OpenSSL license" from 2006-06-14!
    So: add OpenSSL to the list of vulnerable components too.


#8. "Preboot Manager.msi"             version 03.02.00.119 from 2011-12-06
                                      by Wave Systems Corp.

    This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0
    from 2003-04-18).
    Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>

    This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13)
    from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL.
    So: yet another component with vulnerable OpenSSL code.

    JFTR: no textfile with the "OpenSSL license" included here.


#9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi"
                                      version 1.2.1.37 from 2011-10-08
                                      by NTRU CryptoSystems Inc.

    This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1
    from 2010-03-18), cf.
    <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>


... and more (I stopped counting)!


Dell Inc.: Don't you have any QA? Can't afford one?
UPEK Inc.: Don't you have any QA? Can't afford one?
Wave Corp.: Don't you have any QA? Can't afford one?
NTRU Inc.: Don't you have any QA? Can't afford one?

What about just a little bit of serious software engineering and due
diligence in your development, build and production processes?

It's a stupid idea to build security software from vulnerable components!


Stefan Kanthak


Timeline
~~~~~~~~

2012-08-24    informed vendor support

2012-09-24    no reaction/reply from vendor support, report published

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

The information transmitted in this message and its attachments (if any) is intended only for the person or entity to which it is addressed.

The message may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information, by persons or entities other than the intended recipient is prohibited.

If you have received this in error, please contact the sender and delete this e-mail and associated material from any computer.

The intended recipient of this e-mail may only use, reproduce, disclose or distribute the information contained in this e-mail and any attached files, with the permission of the sender.

This message has been scanned for viruses.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ