SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#339004

NeoScale Systems CryptoStor 700 series appliances fail to properly perform two-factor authentication

Overview

NeoScale Systems CryptoStor 700 series appliances fail to properly perform two-factor authentication. This can make it easier to bypass the CryptoStor authentication process.

I. Description

NeoScale Systems CryptoStor Tape units are tape backup encryption appliances. CryptoStor 700 series units provide two-factor authentication for administration functions. This is accomplished with a smartcard token plus a username and password combination.

The smartcard aspect of the two-factor authentication is performed on the client side within the web browser, using ActiveX and script. Disabling ActiveX can bypass this part of the two-factor authentication.

II. Impact

An attacker with knowledge of only the username and password for the administration console can gain administrative access to the CryptoStor unit. This would allow an attacker to add, change, or delete encryption rules and keys, establish cluster members, export keys for archival, and more.

III. Solution

Apply an update


This issue is addressed in the 2.6 version of the CryptoStor Tape 700 Series firmware. According to NeoScale, this version of the firmware makes the following changes:

    a) changing the CryptoStor ActiveX component to not perform the actual authentication only to report on its success or failure. The CryptoStor ActiveX component version number was also changed.

    b) changes to the cgi-bin program within the CryptoStor Appliance to perform the actual authentication. The cgi-bin program was also modified to not work with the original version of the CryptoStor ActiveX component

    c) implementation of a Thawte certificate for the CryptoStor ActiveX component

Systems Affected
VendorStatusDate NotifiedDate Updated
NeoScale Systems, Inc.Vulnerable21-Dec-2006

References


http://www.neoscale.com/English/Products/CryptoStor_Tape.html
http://secunia.com/advisories/23430/
http://www.securityfocus.com/bid/21652
http://securitytracker.com/id?1017396

Credit

This document was written by Will Dormann.

Other Information

Date Public:2006-12-18
Date First Published:2006-12-18
Date Last Updated:2007-01-03
CERT Advisory: 
CVE-ID(s):CVE-2006-3896
NVD-ID(s):CVE-2006-3896
US-CERT Technical Alerts: 
Metric:0.64
Document Revision:12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader