Vulnerability Note VU#789985

Physical access to a computer system can be used to bypass software-based access control mechanisms

Original Release date: 06 Mar 2003 | Last revised: 07 Mar 2003

Overview

An intruder who gains physical access to a computer system can bypass software-based control mechanisms.

Description

If an intruder can gain physical access to a computer resource, he can bypass software-based access control mechanisms, install Trojans horses, install hardware to facilitate subsequent access, copy data to another device, boot the computer into another operating system, modify data stored on the device, or destroy, steal, or disable physical components, including security-related components. This has been well documented. See


Data may be protected by encrypting it using strong cryptography. However, an intruder is still able to copy or modify the encrypted data. If the data is copied, an intruder may have the resources available to conduct off-line cryptographic attacks against the data. If the data is modified, it may be rendered useless. Alternately, the intruder may be able to insert a Trojan horse that will lead to subsequent compromise.

You should not assume that access control lists or other software-based security mechanisms provided by an operating system will prevent an intruder from gaining access to data if the intruder can boot the computer into an alternate operating system.

Impact

An intruder who gains physical access to a computer system can alter or control any aspect of the hardware and software. Encrypted data may provide protection against data theft.

Solution

Restrict physical access to computer systems to only those personnel who must have access. Consider using an encrypting file system or database to encrypt data stored on mobile devices such as laptops or PDAs. Restrict access to network closets or data centers.

Systems Affected (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Shawn V Hernan.

Other Information

  • CVE IDs: Unknown
  • Date Public: 01 Jan 70
  • Date First Published: 06 Mar 2003
  • Date Last Updated: 07 Mar 2003
  • Severity Metric: 9.00
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.