|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
NeoScale Systems, Inc. Information for VU#339004
| Date Notified: | 2006-08-10 |
| Date Updated: | |
| Statement Date: | |
| Status Summary: | Vulnerable |
Vendor StatementThis vulnerability was possible because when a user configured for two-factor authentication with a SmartCard logged into the NeoScale CryptoStor Tape Appliance using a valid and current userid and password, the CryptoStor ActiveX component performed the second factor authentication of the user. The vulnerability resulted in the second factor authentication being bypassed and the user being authenticated without needing a SmartCard. The perpetrator was then able to perform all operations that the genuine user of the NeoScale CryptoStor Tape Appliance could perform.
This vulnerability was addressed by
a) changing the CryptoStor ActiveX component to not perform the actual authentication only to report on its success or failure. The CryptoStor ActiveX component version number was also changed.
b) changes to the cgi-bin program within the CryptoStor Appliance to perform the actual authentication. The cgi-bin program was also modified to not work with the original version of the CryptoStor ActiveX component
c) implementation of a Thawte certificate for the CryptoStor ActiveX component
These three changes have been implemented and are in the version of the NeoScale CryptoStor Tape Appliance code currently released (version 2.6).Vendor InformationThe vendor has not provided us with any further information regarding this vulnerability.
AddendumThere are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
