Executive Summary
Summary | |
---|---|
Title | NetSupport Manager Gateway transmits identifying information in plaintext |
Informations | |||
---|---|---|---|
Name | VU#465239 | First vendor Publication | 2010-11-03 |
Vendor | VU-CERT | Last vendor Modification | 2010-11-03 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#465239NetSupport Manager Gateway transmits identifying information in plaintextOverviewThe NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is not encrypting http headers sent between systems.I. DescriptionThe NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is sending plaintext http headers between systems. The header of some of the NetSupport HTTP packets contain information in plaintext that could be used to identify information about the client machine.II. ImpactAn attacker could view identification information about the client machine such as the client's ip address, hardware MAC address, user's login name, and password hash.III. SolutionUpgradeAccording to the vendor's technical document the NetSupport HTTP protocol implementation has been updated so that all header communication is now encrypted in the current shipping version of the NetSupport Manager product (version 11.00.0005).
Referenceshttp://www.netsupportsoftware.com/support/td.asp?td=634 Thanks to Matthew Whitehead for reporting this vulnerability. This document was written by Michael Orlando.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/465239 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69014 | NetSupport Manager Cleartext HTTP Header Information Disclosure NetSupport Manager contains a flaw that may lead to an unauthorized information disclosure. The HTTP protocol implementation sends HTTP headers with information stored in cleartext fields. The issue is triggered when the HTTP packets between the NetSupport Manager Gateway and Controls or clients are intercepted. This may disclose sensitive information to a remote attacker. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-11-10 | Name : The remote web server hosts an application that is affected by an information... File : netsupport_gateway_info_disclosure.nasl - Type : ACT_GATHER_INFO |
2010-11-10 | Name : The remote Windows host has an application that is affected by an information... File : netsupport_manager_11_0_5.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:51 |
|