Vulnerability Note VU#778427

Intrinsic Swimage Encore does not securely manage login credentials

Original Release date: 18 Aug 2008 | Last revised: 27 Aug 2008

Overview

Intrinsic Swimage Encore has an unencrypted, hardcoded, default password that could allow an attacker access to protected data.

Description

Intrinsic Swimage Encore automates remote desktop, server, and device deployment. This product includes both a server and a client solution. The Swimage server sends to the client .bin files that contain encypted data. The Swimage client application, Conductor.exe, contains a hardcoded, unencrypted master password that can be used to access the data in these .bin files. Following a system installation the .bin files and Conductor.exe are unlinked from the remote client by the Swimage server, but the memory is not wiped.

Note that there is an option within Swimage Encore that allows the creation of bootable media. The .bin files on the bootable media use the unencrypted master password prior to version 5.0.1.21.

Impact

Authentication credentials may be stored in plain text on client machines. The credentials may also be sent unencrypted over the network.

Solution

Apply an update
This issue is addressed in Intrinsic Swimage Encore version 5.0.1.21. Customers should contact Encore Support at encoresupport@intrinsic.net to receive updates.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
IntrinsicAffected01 Aug 200818 Aug 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

  • None

Credit

This issue was reported by Adam Fier of Lockheed Martin/NASA.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: Unknown
  • Date Public: 28 Jul 2008
  • Date First Published: 18 Aug 2008
  • Date Last Updated: 27 Aug 2008
  • Severity Metric: 0.32
  • Document Revision: 12

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.