SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   CodeSafe Vendors:   nCipher
nCipher CodeSafe Java Incompatibility May Leak Smart Card Passphrases to the User's Operating System Shell
SecurityTracker Alert ID:  1004540
SecurityTracker URL:  http://securitytracker.com/id/1004540
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2002
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in the 'TrustedCodeTool' component of nCipher's CodeSafe product. Java applications using the 'ConsoleCallBack' class on Microsoft Windows platforms may leak smart card passphrases to the operating system in certain cases.

nCipher issued a security advisory warning of an imcompatibility between the nCipher 'TrustedCodeTool' command line utility supplied to CodeSafe customers and the Java Runtime Enviornment (JRE) 1.4.0.

The affected function is the 'ConsoleCallBack' class. A legitimate use of the nCipher ConsoleCallBack is to read a passphrase from the user when the user is loading a smart card that is protected by a passphrase. The code that reads this passphrase is reportedly incompatible with JRE version 1.4.0 on Windows platforms. The code will prompt the user for a passphrase, but will not continue after the user has entered their passphrase. As a result, a local user can kill the process and the command shell will receive the user's passphrase.

This flaw can be more serious if the user's command shell supports history tracking, as the history file may contain the passphrase.

nCipher notes that the security of the HSM is unaffected.

Impact:   A local user's passphrase may be passed to the user's operating system command shell. This passphrase may be recorded in the command shell history file, if one exists.
Solution:   No solution was available at the time of this entry.

The vendor is reportedly working on software updates. In the meantime, the vendor recommends that users who are running an affected version of the JRE revert to an earlier version of the JRE, if possible. Additional recommendations and advice is provided in the advisory, available at:

http://www.ncipher.com/support/advisories/advisory4_java.html

Copies of the advisory, patch kits (when available) for all nCipher supported platforms, and supporting documentation can be obtained from the nCipher updates site:

http://www.ncipher.com/support/advisories/

Vendor URL:  www.ncipher.com/support/advisories/advisory4_java.html (Links to External Site)
Cause:   State error
Underlying OS:  Java, Windows (NT), Windows (2000)
Underlying OS Comments:  Using JRE 1.4.0

Message History:   None.


 Source Message Contents

Subject:  nCipher advisory


http://www.ncipher.com/support/advisories/advisory4_java.html

nCipher issued a security advisory warning that, in certain
circumstances, Java applications using the standard nCipher
ConsoleCallBack class on Windows NT and Windows 2000 platforms may leak
smart card passphrases to the current user's shell.

According to the report, a version of the nCipher 'TrustedCodeTool'
command line utility supplied to CodeSafe customers is also vulnerable.

A legitimate function of the nCipher ConsoleCallBack is to read a
passphrase from the user when the user is loading a smart card that is
protected by a passphrase.  The code that reads this passphrase is
reportedly incompatible with version 1.4.0 of the Java Runtime
Environment (JRE) on Windows platforms.  The code will prompt the user
for a passphrase, but will not continue after the user has entered their
passphrase.  As a result, a local user can kill the process and the
command shell will receive the user's passphrase.

Sites running JRE 1.4.0 on Windows and using the ConsoleCallBack are
vulnerable.

This flaw can be more serious if the user's command shell supports
history tracking, as the history file may contain the passphrase.

nCipher notes that the security of the HSM is unaffected.

The vendor is reportedly working on software updates.  In the meantime,
the vendor recommends that users who are running an affected version of
the JRE revert to an earlier version of the JRE, if possible. 
Additional recommendations and advice is provided in the advisory,
available at:

http://www.ncipher.com/support/advisories/advisory4_java.html

Copies of the advisory, patch kits (when available) for all nCipher
supported platforms, and supporting documentation can be obtained from
the nCipher updates site:

http://www.ncipher.com/support/advisories/



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC