SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (VPN)  >   SafeNet SoftRemote Vendors:   SafeNet
SafeNet SoftRemote VPN Client Discloses Key to Local Users
SecurityTracker Alert ID:  1013134
SecurityTracker URL:  http://securitytracker.com/id/1013134
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 9 2005
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the SafeNet SoftRemote VPN client. A local user may be able to obtain the VPN key.

The SafeNet SoftRemote client 'IreIKE.exe' process stores the VPN password (i.e., preshare key) in process memory. A local user with access to memory can obtain the key.

The client also stores the key in encoded form in the Windows Registry and in policy files ('.spd' files). A local user with access to the registry or the policy files can decode the key.

NTA Monitor reported this vulnerability.

The original advisory is available at:

http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm
Impact:   A local user may be able to obtain the VPN key.
Solution:   The vendor has prepared a fix, to be available shortly.
Vendor URL:  www.safenet-inc.com/products/vpn/softRemote.asp (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 08 Feb 2005 12:08:18 +0000
Subject:  SafeNet SoftRemote VPN Client Issue: Clear-text password


SafeNet SoftRemote VPN Client Issue: Clear-text password stored in memory

Summary:

NTA Monitor have discovered a password disclosure issue in the SafeNet 
SoftRemote VPN client:  The SoftRemote client stores the password in an 
obfuscated form in the Windows registry, but it also stores the unencrypted 
password in process memory.

The SafeNet SoftRemote VPN client is widely used for remote access IPsec 
VPNs.  It is available as a product in its own right, and many VPN vendors 
also use a badged-up version of the client which they ship with their VPN 
product.  The issue has been confirmed in both the SoftRemote product, and 
also in two badged-up versions.  It is suspected that the issue is common 
to all versions of the client.

The vendor has been notified of this issue, and have produced a fix which 
is expected to be available shortly.

Overview:

While performing a VPN test for a customer, NTA Monitor discovered that the 
VPN client that was being used stored the VPN password (pre-shared key) 
unencrypted in the memory of the process "IreIKE.exe".  It was possible to 
recover the password by dumping the process memory to a file with PMDump 
(http://ntsecurity.nu/toolbox/pmdump/) or by crashing the system to obtain 
a physical memory dump.

The IreIKE.exe process decrypts the pre-shared key as soon as it starts up, 
so there is no need to attempt to connect to the VPN server in order to 
obtain the password from the client.

The vulnerability was found in both SafeNet version of the client, and also 
two badged-up versions, which implies that it is common across all versions 
of the client.

The vulnerability allows anyone with access to the client system to obtain 
the password.  It also allows anyone who has access to the obfuscated 
password in the client registry or in a policy file (.spd) to use the VPN 
client to obtain the corresponding plain-text password.

The VPN client registry, and also policy files, contain all the other 
configuration details needed to gain access to the VPN, such as the 
username and IP addresses in plain (unencrypted format).  Therefore anyone 
with access to the VPN client system, or a policy file, can obtain all of 
the required details to access the VPN.

In the memory dump, the plain-text password is visible near to the name of 
the connection that it is associated with (e.g. "My Connections\New 
Connection").  As the password appears to be at a fixed offset from the 
connection name in the memory dump, it would be a simple matter to write a 
tool to extract the connection name and password.

Further Information:

For further information, including technical details and screenshots, see:

http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm

Roy Hills


--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FA, 
UK                  WWW:   http://www.nta-monitor.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC