search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent account vulnerability

Vulnerability Note VU#591667

Original Release Date: 2012-09-17 | Last Revised: 2012-09-17

Overview

CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent accounts.

Description

According to the CoSoSys's website the Endpoint Protector 4 appliance is a DLP product used to prevent users from taking unauthorized data outside the company or bringing potential harmful files on USB devices, files which can have a significant impact on your network’s health. The CoSoSys Endpoint Protector 4 appliance contains a predictable password for root-equivalent accounts. The activation script sets the password to the EPProot account to a password based on the sum of each number in the appliance's serial number. The script cuts the serial number (10 numeric characters) out of a file and then adds each character together to populate the $SUMS variable. Then "eroot!00($SUM)RO" where $SUM is a number presumably from 0-90 (9*10) is set as the password for the epproot account. There are only 90 unique combinations so it can be brute-forced.

Impact

An attacker may be able to gather sensitive configuration information including account credentials or session authentication tokens of the CoSoSys Endpoint Protector 4 appliance.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing a CoSoSys Endpoint Protector 4 appliance using stolen credentials from a blocked network location.

Vendor Information

591667
 
Affected   Unknown   Unaffected

CoSoSys Endpoint Security

Notified:  July 30, 2012 Updated:  September 10, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.2 E:POC/RL:W/RC:UC
Environmental 1.7 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Christopher Campbell for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-2994
Date Public: 2012-09-17
Date First Published: 2012-09-17
Date Last Updated: 2012-09-17 11:59 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.