NeoScale Systems, Inc.

Notified:  August 10, 2006 Updated: December 21, 2006



Vendor Statement

This vulnerability was possible because when a user configured for two-factor authentication with a SmartCard logged into the NeoScale CryptoStor Tape Appliance using a valid and current userid and password, the CryptoStor ActiveX component performed the second factor authentication of the user. The vulnerability resulted in the second factor authentication being bypassed and the user being authenticated without needing a SmartCard. The perpetrator was then able to perform all operations that the genuine user of the NeoScale CryptoStor Tape Appliance could perform. This vulnerability was addressed by a) changing the CryptoStor ActiveX component to not perform the actual authentication only to report on its success or failure. The CryptoStor ActiveX component version number was also changed. b) changes to the cgi-bin program within the CryptoStor Appliance to perform the actual authentication. The cgi-bin program was also modified to not work with the original version of the CryptoStor ActiveX component c) implementation of a Thawte certificate for the CryptoStor ActiveX component These three changes have been implemented and are in the version of the NeoScale CryptoStor Tape Appliance code currently released (version 2.6).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.