SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#912593

Guidance EnCase Enterprise uses weak authentication to identify target machines

Overview

Guidance Software's EnCase Enterprise uses IP authentication to identify target machines. An attacker may be able to provide the EnCase SAFE server with a disk image from a different machine than an investigator requested.

I. Description

Guidance Software's EnCase Enterprise allows investigators to remotely acquire disk images from target systems for forensic analysis. The remote target systems may be on the same LAN or located on the Internet.

EnCase Enterprise consists of three applications:

  1. EnCase SAFE is a server that is used to authenticate users, distribute licenses, provide forensic analysis tools, and communicate with target machines running the EnCase Servlet.
  2. EnCase Servlet runs locally on target machines and allows the EnCase SAFE to create an image from the target operating system.
  3. EnCase Examiner is a local application that is installed on the investigator’s computer and provides an interface to the EnCase SAFE server.

EnCase Enterprise Edition uses a public key encryption system to verify that the servlet is communicating with an authorized SAFE server; however, the SAFE server uses IP authentication to verify the identity of the servlet.

Information about this vulnerability was publicly disclosed by the iSec paper "Breaking Forensics Software: Weaknesses in Critical Evidence Collection."

II. Impact

An attacker may be able to supply the EnCase SAFE with a different image than the investigator requested by using ARP spoofing or other well-known network attacks.

III. Solution

Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software and workarounds.


The following workarounds may mitigate this vulnerability:

  • Using IPSec or other virtual private network network technologies to provide secure communications and authentication for machines running the EnCase Servlet may mitigate this vulnerability by preventing attackers from injecting or manipulating data.
  • IDS systems capable of detecting ARP spoofing may be able to alert administrators when this attack vector is being exploited.

Systems Affected
VendorStatusDate NotifiedDate Updated
Guidance Software, Inc.Vulnerable20-Nov-2007

References


http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf
http://www.guidancesoftware.com/downloads/getpdf.aspx?fl=.pdf
http://technet.microsoft.com/en-us/library/Bb742429.aspx
http://en.wikipedia.org/wiki/ARP_spoofing
https://support.guidancesoftware.com/node/487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4202

Credit

iSec partners released information about this vulnerability.

This document was written by Ryan Giobbi and Jason McCormick.

Other Information

Date Public:2007-08-03
Date First Published:2007-11-09
Date Last Updated:2007-11-20
CERT Advisory: 
CVE-ID(s):CVE-2007-4202
NVD-ID(s):CVE-2007-4202
US-CERT Technical Alerts: 
Metric:0.90
Document Revision:33

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader