=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
IRM Security Advisory No. 003
Safeboot PC Security User Emuneration Vulnerability
Vulnerablity Type / Importance: User Enumeration / Medium
Problem discovered: Fri, 31 Jan 2003
Vendor contacted: Mon, 3 Feb 2003
Advisory published: March 20th 2003
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Abstract:
Safe boot PC security allows the discovery (by trial and error)
of valid user account names by distinguishing between bad login names
and bad passwords.
Description:
Safeboot (www.safeboot.com) is a software product to prevent
access to a PCs hard disk drive. This protection takes two forms:
1) Pre-Boot user authentication, 2) Hard Disk Encryption. It is with
the former that IRM identified a vulnerability.
Whilst safeboot supports a number of hardware-based tokens to
provide user authentication, without these it relies on Username and
Password Authentication.
When a user has entered a bad username or password, Safeboot
will produce an error, specifically stating which of the credentials
(username or password) is incorrect. By leaving the password blank, or
entering anything, an attacker could use trial and error to establish
valid usernames for this or other related systems, before proceding to
attempt discovery of the associated password.
Tested Versions:
Safeboot 4.1 (current version)
(The authors were not able to obtain any previous versions, but
understand these would be equally effected)
Tested Operating Systems:
Windows XP SP1
Vendor & Patch Information:
The vendor of this product, Control Break International,
was contacted. They were receptive to our report and produced
a statement reproduced here:
"Control Break International is aware of IRM's findings. We have not
considered enumeration of the user list sensitive information up to
now, as real-world user ID's are often trivial combinations of first
name, last name, and initials, and are usually easily guessable
through social engineering. With the popularity of directory systems
such as AD and Novell, user id's are increasingly similar to e-mail
addresses, yielding them even simpler to determine. We are however
sensitive to customer concerns, so for those who would like to
redefine the error messages reported for incorrect user id and
password information, we can make available replacement error message
files accordingly".
These error message files are not available for public download,
but users of Safeboot can obtain it by contacting Control Break via
their Website.
Workarounds:
See Vendor and Patch Information.
Credits:
Initial vulnerability discovery: Chris Crute
Disclaimer:
All information in this advisory is provided on an 'as is' basis
in the hope that it will be useful. Information Risk Management Plc is
not responsible for any risks or occurrences caused by the application
of this information.
A copy of this advisory may be found at http://www.irmplc.com/advisories
The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc. http://www.irmplc.com
22 Buckingham Gate advisories@irmplc.com
London info@irmplc.com
SW1E 6LB+44 (0)207 808 6420
