Dangerous information in CentraOne log files - VENDOR RESPONSE

From: JClarkat_private
Date: Thu Dec 27 2001 - 12:02:49 PST

Next message: Brian Hatch: "Stunnel: Format String Bug in versions <3.22"

Previous message: Larry W. Cashdollar: "Lynx format string vulnerability in URL logging."
Next in thread: zedflyat_private: "RE: Dangerous information in CentraOne log files - VENDOR RESPONSE"
Reply: zedflyat_private: "RE: Dangerous information in CentraOne log files - VENDOR RESPONSE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Centra Software first became aware of a security vulnerability in several
versions of its products with a posting to the Bugtraq distribution lists.
Centra is a vendor committed not only to providing secure software
solutions, but also to informing its customers immediately of any
vulnerabilities it discovers in its products and, as such, is notifying all
its customers and Bugtraq subscribers with its response to this
vulnerability. 

If you have additional questions or inquiries, please contact Centra
Customer Support directly at supportat_private
Thanks, 
- The Centra Customer Support Team

****************************************************************************
*************************************
ORIGINAL POSTING
Date Published: 12/17/01 Bugtraq ID: - CVE CAN: - Title: Dangerous
information being recorded in CentraOne Log files, possible user
impersonation Severity: Medium Remote Exploit: No Local Exploit: Yes
****************************************************************************
*************************************

RESPONSE FROM THE VENDOR, CENTRA SOFTWARE

DESCRIPTION OF VULNERABILITY

This security bug applies to CentraOne v5.2 customers using Centra Smart
Connect patch CEN5.2-03 (released November 11, 2001) and Centra ASP
customers. For both sets of customers, it only applies to users who connect
to the Centra Server through a proxy server which has Basic Authentication
enabled.

When the client launches, a log file is created on the end user's local PC.
If the user is connecting through a proxy server with Basic Authentication
enabled, the log file contains information about the proxy server including
a base64 encoded username / password string.  This information could be used
to launch an impersonation attack by an individual who has physical access
to the log files on the end user's client PC.

PREVENTION OF VULNERABILITY 

Below is a list of steps you can take to avoid this problem. Please contact
Centra Customer Support for more details.

NOTE: Only applicable to customers using CentraOne 5.2 with Patch CEN5.2-03
and Centra ASP services

- Upgrade to CentraOne 5.3 General Availability, which is not susceptible to
this problem and is available from Centra today.

- Install the patch designed to address this, which will be available for
download from the Centra customer support web site on or before Friday,
January 4.

- Centra will be adding a patch to the Centra eMeeting ASP service to
address this bug.

****************************************************************************
*************************************

Next message: Brian Hatch: "Stunnel: Format String Bug in versions <3.22"
Previous message: Larry W. Cashdollar: "Lynx format string vulnerability in URL logging."
Next in thread: zedflyat_private: "RE: Dangerous information in CentraOne log files - VENDOR RESPONSE"
Reply: zedflyat_private: "RE: Dangerous information in CentraOne log files - VENDOR RESPONSE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 27 2001 - 12:25:44 PST