10 - VU#120593

Executive Summary

Summary
Title	Meridian Prolog Manager uses weak authentication to store and transmit user credentials

Informations
Name	VU#120593	First vendor Publication	2007-12-17
Vendor	VU-CERT	Last vendor Modification	2007-12-19
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#120593

Meridian Prolog Manager uses weak authentication to store and transmit user credentials

Overview

Meridian Systems Prolog Manager does not use strong encryption and returns a list of all user credentials when authenticating clients. These behaviors could allow an attacker to obtain user credentials and decrypt passwords.

I. Description

Meridian Systems Prolog Manager is a set of construction project management tools that are designed to interface with a Microsoft SQL Server.

Prolog Manager administrators can choose to use one of the following methods to encrypt the passwords:

no encryption
standard encryption
enhanced encryption

By default, no encrytion is selected, and Prolog Manager does not use sufficiently strong encryption when standard encryption or enhanced encryption are selected. In addition, when a client logs into Prolog Manager, the authentication credentials of all users in the system are returned to the client. An attacker could obtain credentials by sniffing network traffic or by sending an invalid login request to the Prolog Manager server and capturing the response. The attacker may then be able to decrypt passwords offline.

II. Impact

An attacker who can intercept network traffic or send an invalid loin request can obtain authentication credentials and decrypt passwords.

III. Solution

We are currently unaware of a practical solution to this problem.

Use database and network encryption

Enabling the enhanced encryption option may increase the effort required for an attacker to decrpt passwords. See the Meridian November 2004 Product Tip for more information about enabling encryption.
Using an encrypted VPN or similar technology when accessing the Prolog Manager server may prevent an attacker from sniffing network traffic.

Systems Affected

Vendor	Status	Date Updated
Meridian Systems	Vulnerable	19-Dec-2007

References

http://www.meridiansystems.com/products/prolog/PM/projectmanagementtools.asp
http://www.meridiansystems.com/newsevents/newsletter/Newsletter_November_04_tip.htm
http://www.securityfocus.com/archive/1/484886/30/0/threaded
http://www.microsoft.com/protect/yourself/password/create.mspx
http://secunia.com/advisories/28065/

Credit

Information about this vulnerability was posted on the bugtraq mailing list.

This document was written by Ryan Giobbi.

Other Information

Date Public	12/11/2007
Date First Published	12/17/2007 01:13:14 PM
Date Last Updated	12/19/2007
CERT Advisory
CVE Name	CVE-2007-6330
Metric	1.77
Document Revision	28

Original Source

Url : http://www.kb.cert.org/vuls/id/120593

CPE : Common Platform Enumeration

Type	Description	Count
Application	Meridian Software Prolog Manager cpe:2.3:a:meridian_software:prolog_manager:2007:::::::* cpe:2.3:a:meridian_software:prolog_manager:7.5:::::::* cpe:2.3:a:meridian_software:prolog_manager:7.0:::::::*	3

Open Source Vulnerability Database (OSVDB)

Id	Description
42634	Meridian Prolog Manager Cleartext Password Disclosure

Global Informations

Type	Count
CPE ID(s)	3
osvdb(s)	1

	Related
10	CVE-2007-6330
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)