Executive Summary

Title CREDANT Mobile Guardian Shield fails to remove credentials from memory
Name VU#821865 First vendor Publication 2007-06-01
Vendor VU-CERT Last vendor Modification 2007-06-01
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.6 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#821865

CREDANT Mobile Guardian Shield fails to remove credentials from memory


CREDANT Mobile Guardian Shield fails to properly remove credentials from memory, which may allow an attacker to obtain access to the Windows domain and encrypted drive contents.

I. Description

CREDANT Mobile Guardian (CMG) Shield is a component of Mobile Guardian Enterprise Edition. CMG Shield provides policy-based encryption of specified files. CMG Shield fails to properly clear credentials out of system memory. The default configuration for CMG Shield does not encrypt the Windows pagefile, which means that the credentials may be written to disk. Please see the CREDANT vendor statement below in this vulnerability note for more details.

II. Impact

An attacker with access to the contents of system memory may be able to retrieve the user's credentials, which can allow access to encrypted files.

III. Solution

Apply an update

This issue is addressed in CMG Enterprise Edition 5.2.1 SP1, which was released on May 1, 2007. Please see the CREDANT support site to obtain the update. Details for this vulnerability are available in the support post titled "Vulnerability in Credant Mobile Guardian Shield for Windows."

Systems Affected

VendorStatusDate Updated
CREDANT Technologies, Inc.Vulnerable1-Jun-2007




Thanks to Michael Iacovacci for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public05/24/2007
Date First Published06/01/2007 10:15:53 AM
Date Last Updated06/01/2007
CERT Advisory 
CVE NameCVE-2007-2883
Document Revision4

Original Source

Url : http://www.kb.cert.org/vuls/id/821865

Open Source Vulnerability Database (OSVDB)

Id Description
36524 Credant Mobile Guardian Shield for Windows Cleartext Credential Disclosure