Vulnerability Note VU#912593
Guidance EnCase Enterprise uses weak authentication to identify target machines
Guidance Software's EnCase Enterprise uses IP authentication to identify target machines. An attacker may be able to provide the EnCase SAFE server with a disk image from a different machine than an investigator requested.
Guidance Software's EnCase Enterprise allows investigators to remotely acquire disk images from target systems for forensic analysis. The remote target systems may be on the same LAN or located on the Internet.
EnCase Enterprise consists of three applications:
EnCase Enterprise Edition uses a public key encryption system to verify that the servlet is communicating with an authorized SAFE server; however, the SAFE server uses IP authentication to verify the identity of the servlet.
Information about this vulnerability was publicly disclosed by the iSec paper "Breaking Forensics Software: Weaknesses in Critical Evidence Collection."
An attacker may be able to supply the EnCase SAFE with a different image than the investigator requested by using ARP spoofing or other well-known network attacks.
Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software and workarounds.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Guidance Software, Inc.||Affected||-||20 Nov 2007|
CVSS Metrics (Learn More)
iSec partners released information about this vulnerability.
This document was written by Ryan Giobbi and Jason McCormick.
- CVE IDs: CVE-2007-4202
- Date Public: 03 Aug 2007
- Date First Published: 09 Nov 2007
- Date Last Updated: 20 Nov 2007
- Severity Metric: 0.90
- Document Revision: 33
If you have feedback, comments, or additional information about this vulnerability, please send us email.