search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Intrinsic Swimage Encore does not securely manage login credentials

Vulnerability Note VU#778427

Original Release Date: 2008-08-18 | Last Revised: 2008-08-27


Intrinsic Swimage Encore has an unencrypted, hardcoded, default password that could allow an attacker access to protected data.


Intrinsic Swimage Encore automates remote desktop, server, and device deployment. This product includes both a server and a client solution. The Swimage server sends to the client .bin files that contain encypted data. The Swimage client application, Conductor.exe, contains a hardcoded, unencrypted master password that can be used to access the data in these .bin files. Following a system installation the .bin files and Conductor.exe are unlinked from the remote client by the Swimage server, but the memory is not wiped.

Note that there is an option within Swimage Encore that allows the creation of bootable media. The .bin files on the bootable media use the unencrypted master password prior to version


Authentication credentials may be stored in plain text on client machines. The credentials may also be sent unencrypted over the network.


Apply an update
This issue is addressed in Intrinsic Swimage Encore version Customers should contact Encore Support at to receive updates.

Vendor Information


Intrinsic Affected

Notified:  August 01, 2008 Updated: August 18, 2008



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Intrinsic has released to address this issue. Customers should contact Encore Support at to receive updates.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This issue was reported by Adam Fier of Lockheed Martin/NASA.

This document was written by Chris Taschner.

Other Information

CVE IDs: None
Severity Metric: 0.32
Date Public: 2008-07-28
Date First Published: 2008-08-18
Date Last Updated: 2008-08-27 17:50 UTC
Document Revision: 13

Sponsored by CISA.