Vulnerability Note VU#339004
NeoScale Systems CryptoStor 700 series appliances fail to properly perform two-factor authentication
NeoScale Systems CryptoStor 700 series appliances fail to properly perform two-factor authentication. This can make it easier to bypass the CryptoStor authentication process.
NeoScale Systems CryptoStor Tape units are tape backup encryption appliances. CryptoStor 700 series units provide two-factor authentication for administration functions. This is accomplished with a smartcard token plus a username and password combination.
The smartcard aspect of the two-factor authentication is performed on the client side within the web browser, using ActiveX and script. Disabling ActiveX can bypass this part of the two-factor authentication.
An attacker with knowledge of only the username and password for the administration console can gain administrative access to the CryptoStor unit. This would allow an attacker to add, change, or delete encryption rules and keys, establish cluster members, export keys for archival, and more.
Apply an update
b) changes to the cgi-bin program within the CryptoStor Appliance to perform the actual authentication. The cgi-bin program was also modified to not work with the original version of the CryptoStor ActiveX component
c) implementation of a Thawte certificate for the CryptoStor ActiveX component
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|NeoScale Systems, Inc.||Affected||10 Aug 2006||21 Dec 2006|
CVSS Metrics (Learn More)
This document was written by Will Dormann.
- CVE IDs: CVE-2006-3896
- Date Public: 18 Dec 2006
- Date First Published: 18 Dec 2006
- Date Last Updated: 03 Jan 2007
- Severity Metric: 0.64
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.