BindView NetInventory NetRC hostcfg_ni password passed in clear t ext

From: Barker, Brent (hostmasterat_private)
Date: Thu Jan 24 2002 - 13:53:39 PST

Next message: securityat_private: "Security Update: [CSSA-2001-SCO.35.2] REVISED: OpenServer: setcontext and sysi86 vulnerabilities"

Previous message: Tom McAdam: "Vulnerabilities in squirrelmail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A design flaw exist in BindView NetInventory and NetRC software that 
allows users to view the password during auditing.

Discovered: Wednesday, January 09, 2002 4:54 PM

Steps to reproduce the flaw.

Local users can delete their HOSTCFG._NI file and then force an audit from
the netlogon directory.  During the audit the HOSTCFG._NI is rewritten as
HOSTCFG.INI which is in clear text until the audit is complete.   

Each machine on the network configured with that password can be accessed
remotely.

BindView returned our e-mails with the statement that it would be fixed in
the next release.

Brent Barker
ViaSat, Inc.

Next message: securityat_private: "Security Update: [CSSA-2001-SCO.35.2] REVISED: OpenServer: setcontext and sysi86 vulnerabilities"
Previous message: Tom McAdam: "Vulnerabilities in squirrelmail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 05:48:51 PST