Vulnerability Note VU#591667

CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent account vulnerability

Original Release date: 17 Sep 2012 | Last revised: 17 Sep 2012

Overview

CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent accounts.

Description

According to the CoSoSys's website the Endpoint Protector 4 appliance is a DLP product used to prevent users from taking unauthorized data outside the company or bringing potential harmful files on USB devices, files which can have a significant impact on your network’s health. The CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent accounts. The activation script sets the password to the EPProot account to a password based on the sum of each number in the appliance's serial number. The script cuts the serial number (10 numeric characters) out of a file and then adds each character together to populate the $SUMS variable. Then "eroot!00($SUM)RO" where $SUM is a number presumably from 0-90 (9*10) is set as the password for the epproot account. There are only 90 unique combinations so it can be brute-forced.

Impact

An attacker may be able to gather sensitive configuration information including account credentials or session authentication tokens of the CoSoSys Endpoint Protector 4 appliance.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing a CoSoSys Endpoint Protector 4 appliance using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CoSoSys Endpoint SecurityAffected30 Jul 201210 Sep 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.2 E:POC/RL:W/RC:UC
Environmental 1.7 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Christopher Campbell for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2012-2994
  • Date Public: 17 Sep 2012
  • Date First Published: 17 Sep 2012
  • Date Last Updated: 17 Sep 2012
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.