Executive Summary

Summary
Title Guidance EnCase Enterprise uses weak authentication to identify target machines
Informations
Name VU#912593 First vendor Publication 2007-11-09
Vendor VU-CERT Last vendor Modification 2007-11-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#912593

Guidance EnCase Enterprise uses weak authentication to identify target machines

Overview

Guidances EnCase Enterprise uses IP authentication to identify target machines. An attacker may be able to provide the EnCase SAFE server with a disk image from a different machine than requested by an investigator.

I. Description

Guidance EnCase Enterprise Edition allows investigators to remotely acquire disk images from target systems for forensic analysis. The remote target systems may be on the same LAN, or located on the Internet.

The EnCase Enterprise Edition consists of three applications:

  1. EnCase SAFE is a server that is used to authenticate users, distribute licenses, provide forensic analysis tools, and communicate with target machines running the EnCase servlet.
  2. EnCase Servlet runs locally on target machines, and allows the EnCase SAFE to create an image from the target operating system.
  3. EnCase Examiner is a local application that is installed on the investigator’s computer, and prodives an interface to the EnCase SAFE server.

EnCase Enterprise Edition uses a public key encryption system to verify that the servlet is communicating with an authorized SAFE server, however the SAFE server uses IP authentication to verify the identity of the servlet.

Information about this vulnerability was publicly disclosed by the iSec paper Weaknesses in Critical Evidence Collection.

II. Impact

An attacker may be able to supply the EnCase SAFE with a different image than what was requested by the investigator by using ARP spoofing or other well known network attacks.

III. Solution

Guidance Encase customers should see the Guidance support portal for information about obtaining fixed software and workarounds.


The following workarounds may mitigate this vulnerability:

  • Using IPSec or other virtual private network network technologies to provide secure communications and authentication for machines running the EnCase servlet may mitigate this vulnerability by preventing attackers from injecting or manipulating data.
  • IDS systems capable of detecting ARP spoofing may be able to alert administrators when this attack vector is being exploited.

Systems Affected

VendorStatusDate Updated
Guidance Software, Inc.Vulnerable9-Nov-2007

References


http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf
http://www.guidancesoftware.com/downloads/getpdf.aspx?fl=.pdf
http://technet.microsoft.com/en-us/library/Bb742429.aspx
http://en.wikipedia.org/wiki/ARP_spoofing
https://support.guidancesoftware.com/node/487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4202

Credit

iSec partners released information about this vulnerability.

This document was written by Ryan Giobbi and Jason McCormick.

Other Information

Date Public08/03/2007
Date First Published11/09/2007 09:46:03 AM
Date Last Updated11/09/2007
CERT Advisory 
CVE NameCVE-2007-4202
Metric0.90
Document Revision32

Original Source

Url : http://www.kb.cert.org/vuls/id/912593

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
44745 EnCase Enterprise Edition EEE Sservlet Acquisition Target Spoofing