Vulnerability Note VU#465239

NetSupport Manager Gateway transmits identifying information in plaintext

Original Release date: 03 Nov 2010 | Last revised: 03 Nov 2010

Overview

The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is not encrypting http headers sent between systems.

Description

The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is sending plaintext http headers between systems. The header of some of the NetSupport HTTP packets contain information in plaintext that could be used to identify information about the client machine.

Impact

An attacker could view identification information about the client machine such as the client's ip address, hardware MAC address, user's login name, and password hash.

Solution

Upgrade

According to the vendor's technical document the NetSupport HTTP protocol implementation has been updated so that all header communication is now encrypted in the current shipping version of the NetSupport Manager product (version 11.00.0005).

Additional information is available in the Vendors Affected section of this document.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
NetSupport LtdAffected-10 Sep 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Matthew Whitehead for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: Unknown
  • Date Public: 03 Nov 2010
  • Date First Published: 03 Nov 2010
  • Date Last Updated: 03 Nov 2010
  • Severity Metric: 4.97
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.