The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is not encrypting http headers sent between systems.
The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is sending plaintext http headers between systems. The header of some of the NetSupport HTTP packets contain information in plaintext that could be used to identify information about the client machine.
An attacker could view identification information about the client machine such as the client's ip address, hardware MAC address, user's login name, and password hash.
According to the vendor's technical document the NetSupport HTTP protocol implementation has been updated so that all header communication is now encrypted in the current shipping version of the NetSupport Manager product (version 11.00.0005).
Thanks to Matthew Whitehead for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2010-11-03|
|Date Last Updated:||2010-11-03 18:17 UTC|