SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#120593

Meridian Prolog Manager uses weak authentication to store and transmit user credentials

Overview

Meridian Systems Prolog Manager does not use strong encryption and returns a list of all user credentials when authenticating clients. These behaviors could allow an attacker to obtain user credentials and decrypt passwords.

I. Description

Meridian Systems Prolog Manager is a set of construction project management tools that are designed to interface with a Microsoft SQL Server.

Prolog Manager administrators can choose to use one of the following methods to encrypt the passwords:

  • no encryption
  • standard encryption
  • enhanced encryption
By default, no encrytion is selected, and Prolog Manager does not use sufficiently strong encryption when standard encryption or enhanced encryption are selected. In addition, when a client logs into Prolog Manager, the authentication credentials of all users in the system are returned to the client. An attacker could obtain credentials by sniffing network traffic or by sending an invalid login request to the Prolog Manager server and capturing the response. The attacker may then be able to decrypt passwords offline.

II. Impact

An attacker who can intercept network traffic or send an invalid loin request can obtain authentication credentials and decrypt passwords.

III. Solution

We are currently unaware of a practical solution to this problem.

Use database and network encryption

  • Enabling the enhanced encryption option may increase the effort required for an attacker to decrpt passwords. See the Meridian November 2004 Product Tip for more information about enabling encryption.
  • Using an encrypted VPN or similar technology when accessing the Prolog Manager server may prevent an attacker from sniffing network traffic.

Systems Affected
VendorStatusDate NotifiedDate Updated
Meridian SystemsVulnerable19-Dec-2007

References


http://www.meridiansystems.com/products/prolog/PM/projectmanagementtools.asp
http://www.meridiansystems.com/newsevents/newsletter/Newsletter_November_04_tip.htm
http://www.securityfocus.com/archive/1/484886/30/0/threaded
http://www.microsoft.com/protect/yourself/password/create.mspx
http://secunia.com/advisories/28065/

Credit

Information about this vulnerability was posted on the bugtraq mailing list.

This document was written by Ryan Giobbi.

Other Information

Date Public:2007-12-11
Date First Published:2007-12-17
Date Last Updated:2007-12-19
CERT Advisory: 
CVE-ID(s):CVE-2007-6330
NVD-ID(s):CVE-2007-6330
US-CERT Technical Alerts: 
Metric:1.77
Document Revision:28

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader