Vulnerability Note VU#465239
NetSupport Manager Gateway transmits identifying information in plaintext
The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is not encrypting http headers sent between systems.
The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is sending plaintext http headers between systems. The header of some of the NetSupport HTTP packets contain information in plaintext that could be used to identify information about the client machine.
An attacker could view identification information about the client machine such as the client's ip address, hardware MAC address, user's login name, and password hash.
According to the vendor's technical document the NetSupport HTTP protocol implementation has been updated so that all header communication is now encrypted in the current shipping version of the NetSupport Manager product (version 11.00.0005).
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|NetSupport Ltd||Affected||-||10 Sep 2010|
CVSS Metrics (Learn More)
Thanks to Matthew Whitehead for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: Unknown
- Date Public: 03 Nov 2010
- Date First Published: 03 Nov 2010
- Date Last Updated: 03 Nov 2010
- Severity Metric: 4.97
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.