Bug: Vulnerability in Credant Mobile Guardian Shield for Windows ( Ascii Version )

Search:
WLB2

Vulnerability in Credant Mobile Guardian Shield for Windows

Published
Credit
Risk
2007.06.05
Mike Iacovacci
Medium
CWE
CVE
Local
Remote
N/A
CVE-2007-2883
Yes
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Vulnerability in Credant Mobile Guardian Shield for Windows

Vendor: Credant Technologies Inc. http://www.credant.com/

Product: Credant Mobile Guardian Shield for Windows

Version: 5.2.1.105 (and prior)

Affected Operating Systems: Windows XP SP2 (and likely others)

Product Overview:

Credant Technologies markets the Credant Mobile Guardian Shield for Windows as part of their data security solution for
mobile devices. The product is installed on a mobile device (e.g. Laptop). The shield receives its policy from a
centralized server which dictates the encryption settings as defined by the Credant administrator. Credant Technologies
has trademarked their encryption approach as ?Policy based Intelligent Encryption?; this means that the product does not
provide full disk encryption. This approach allows the Credant administrator to dictate what files and directories are
to be encrypted e.g. All .doc files regardless of directory, and all files in the ?My Documents? folder. By default,
Credant does not encrypt the paging file, operating system files, or slack space to improve performance.

Vulnerability Details:

A serious security flaw is present in Credant Mobile Guardian Shield for Windows versions 5.2.1.105 and prior. Several
instances of the users Windows Domain name, Domain username, and password are stored in plain text within the memory
(RAM) of the mobile device. This risk is compounded by the fact that the Windows paging file is not encrypted per
default settings. The unencrypted paging file would likely contain the plain text Windows Domain credentials as well.

Attack Scenario?s:

1) Offline attack: A lost or stolen device would allow as attacker to search the paging file with the goal of obtaining
the plaintext Domain credentials, once obtained the attacked could simply boot the device and login thereby gaining
complete access to the encrypted data.

2) Online attack: An attacker could create a malicious program which upon execution would dump the active memory image /
or locate the area in memory where the password is stored and retrieve it. The memory image or password could then be
sent over a network to the attacker.

Methodology:

To reproduce and confirm the findings a clean Windows XP SP2 build without Credant Mobile Guardian Shield for Windows
was installed, a dump and search of the memory for the plaintext domain password yielded no matches (ruling out the
Windows OS). Credant Mobile Guardian Shield software version 5.2.1.105 was then loaded. The memory was dumped and
searched following a reboot and Domain login, the password was stored (multiple times) in plaintext within memory.

Workarounds:

Contact vendor for patch 5.2.1.125

Credit:

Mike Iacovacci

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version