Executive Summary
Summary | |
---|---|
Title | Intrinsic Swimage Encore does not securely manage login credentials |
Informations | |||
---|---|---|---|
Name | VU#778427 | First vendor Publication | 2008-08-18 |
Vendor | VU-CERT | Last vendor Modification | 2008-08-27 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.1 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#778427Intrinsic Swimage Encore does not securely manage login credentialsOverviewIntrinsic Swimage Encore has an unencrypted, hardcoded, default password that could allow an attacker access to protected data.I. DescriptionIntrinsic Swimage Encore automates remote desktop, server, and device deployment. This product includes both a server and a client solution. The Swimage server sends to the client .bin files that contain encypted data. The Swimage client application, Conductor.exe, contains a hardcoded, unencrypted master password that can be used to access the data in these .bin files. Following a system installation the .bin files and Conductor.exe are unlinked from the remote client by the Swimage server, but the memory is not wiped.Note that there is an option within Swimage Encore that allows the creation of bootable media. The .bin files on the bootable media use the unencrypted master password prior to version 5.0.1.21. This issue is addressed in Intrinsic Swimage Encore version 5.0.1.21. Customers should contact Encore Support at encoresupport@intrinsic.net to receive updates.
ReferencesThis issue was reported by Adam Fier of Lockheed Martin/NASA. This document was written by Chris Taschner.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/778427 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-255 | Credentials Management |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
47787 | Swimage Encore Hardcoded Unencrypted Default Password |