search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Meridian Prolog Manager uses weak authentication to store and transmit user credentials

Vulnerability Note VU#120593

Original Release Date: 2007-12-17 | Last Revised: 2007-12-19

Overview

Meridian Systems Prolog Manager does not use strong encryption and returns a list of all user credentials when authenticating clients. These behaviors could allow an attacker to obtain user credentials and decrypt passwords.

Description

Meridian Systems Prolog Manager is a set of construction project management tools that are designed to interface with a Microsoft SQL Server.

Prolog Manager administrators can choose to use one of the following methods to encrypt the passwords:

    • no encryption
    • standard encryption
    • enhanced encryption
By default, no encrytion is selected, and Prolog Manager does not use sufficiently strong encryption when standard encryption or enhanced encryption are selected. In addition, when a client logs into Prolog Manager, the authentication credentials of all users in the system are returned to the client. An attacker could obtain credentials by sniffing network traffic or by sending an invalid login request to the Prolog Manager server and capturing the response. The attacker may then be able to decrypt passwords offline.

Impact

An attacker who can intercept network traffic or send an invalid loin request can obtain authentication credentials and decrypt passwords.

Solution

We are currently unaware of a practical solution to this problem.

Use database and network encryption

    • Enabling the enhanced encryption option may increase the effort required for an attacker to decrpt passwords. See the Meridian November 2004 Product Tip for more information about enabling encryption.
    • Using an encrypted VPN or similar technology when accessing the Prolog Manager server may prevent an attacker from sniffing network traffic.

Vendor Information

120593
 
Expand all

Meridian Systems Affected

Notified:  September 27, 2007 Updated: December 19, 2007

Status

Affected

Vendor Statement

Created: December 14, 2007 Applies to: Prolog Manager (All versions)

This bulletin applies to any customer who currently uses any version of Meridian’s Prolog Manager product.

Issue Details

Meridian has become aware of a security vulnerability within Prolog Manager that could impact sections of the Prolog user community. This vulnerability concerns the method by which Prolog Manager handles password information.

There is a risk that password data could be intercepted and under certain circumstances a malicious internal user with cryptographic knowledge could determine the content of a user’s password.

It is important to note that this vulnerability would only allow password data to be intercepted by internal users with network access, and customers who have a correctly configured firewall in their environment remain protected from external threats.

Meridian recognizes that this security vulnerability must be addressed as a matter of urgency, and as such we are working towards resolving the problem as quickly as possible.

Who may be affected

This issue could affect all users of Prolog Manager who access the application over a network.

Immediate Recommendations

    • Ensure that you are using Prolog’s 𠆎nhanced Encryption’ option, which requires the greatest level of cryptography knowledge to circumvent.
    • To use the 𠆎nhanced Encryption’ option in Prolog Manager, please do the following:
      • Under the Options tab of Security Manager, select the 'Use Enhanced Encryption' option, and then click the Save button to complete the operation.
      • Please note that once this option is selected, you will be unable to switch back to using Standard Encryption.
    • Ensure that your firewall is active and configured appropriately to protect your network infrastructure from attacks from external sources.
    • Ensure that all Prolog users are using a ‘robust’ password of no less than 8 characters consisting of a combination of letters (upper and lower case), numbers and special characters. (This will make it much more difficult for malicious users to determine the value of any password they managed to intercept).

Product Enhancements

Meridian has identified the following product enhancements which it will implement as soon as possible in order to rectify the way in which password data is currently handled in Prolog Manager:
    1. All existing password encryption options will be replaced with the SHA-1 (Secure Hash Algorithm) encryption format.
      a) The upgrade process on a Prolog database will migrate existing password data to the new SHA-1encrypted format.
      b) SHA-1 is a one-way digest, which means that it cannot be reversed to get the original password under any circumstances.
    1. Prolog’s application logic will be amended to do the following:
    a) Only SHA-1 encrypted passwords will be passed when Prolog needs to transfer password data from the client to the database server.
    b)A revised method will be implemented for setting and changing passwords to ensure password information will never be read directly from the database.
    Once the above enhancements have been completed, Meridian will immediately make security patches available for Prolog 7.5 SP3, Prolog 2007, Prolog 2007 R1 and Prolog 2007 R2 for implementation by our customers.

    The enhancements will also be included as part of our next major release, Prolog 2008, scheduled to be available in the first half of 2008.

    Contacting Meridian Systems

    If you require any further information on this issue, please contact Meridian Systems Support Services by using any of the following methods:
    Email: support@meridiansystems.com
    Fax: 916 294-2001
    Telephone: 916 294-2100
    Internet: http://www.meridiansystems.com/services/support/index.asp The Meridian Systems SupportLink includes a technical knowledge base, answers to frequently asked questions, technical documentation and a form to submit specific support requests 24 hours a day, 365 days a year.
    Mail: Meridian Systems Attn: Support Services 1720 Prairie City Road, Suite 120 Folsom, CA 95630

    THE INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MERIDIAN SYSTEMS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MERIDIAN SYSTEMS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MERIDIAN PROJECT SYSTEMS CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
    Did you find this document helpful? Send your comments to doc@meridiansystems.com.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.


    CVSS Metrics

    Group Score Vector
    Base
    Temporal
    Environmental

    References

    Acknowledgements

    Information about this vulnerability was posted on the bugtraq mailing list.

    This document was written by Ryan Giobbi.

    Other Information

    CVE IDs: CVE-2007-6330
    Severity Metric: 1.77
    Date Public: 2007-12-11
    Date First Published: 2007-12-17
    Date Last Updated: 2007-12-19 17:35 UTC
    Document Revision: 44

    Sponsored by CISA.

    Download PGP Key

    Read CERT/CC Blog

    Learn about Vulnerability Analysis