In December of the 2002 I was analysing the ActivCard product for a client. During the analysis I noticed that making a memory dump of the process "scardsrv" was possible to obtain the users stored staticaly in the card. This issue at first, could seem smaller, although in depth already it has a very serious character, but deepening the analisis I found that even with the card pulled out from the pc the users and passwords remained in memory. This was reported properly to ActivCard (this can be reed in the mail thread at next). This was the answer Here is the answer from our Product Manager about this issue: The problem found relates to accessing static passwords stored (for performance) in a memory cache by ActivCard Gold. ActivCard recognizes the seriousness of this problem, and will fix it in the next version of the product - ActivCard is currently working on a mechanism that will prevent a memory dump to access any kind of personal data. Note that this problem is only applicable to static passwords. PKI private keys and Dynamic Password keys are always stored securely on the card and never loaded on the PC. Also note that this problem only happens after the user has accessed the card with his PIN, and while the user is still using the card. As soon as the user removes the card and logs out of his session, the cache is cleared and the static passwords cannot be accessed anymore. (/****NOTE***** This is not true, I do some test and even when pulled out the card the users and pass remain in memory area******/) Regards, Jensen Toma I have not recived any news or contact since february, I believe is convenient to publish this "vulnerability" to accelerate the process of correction. Hernán Otero http://www.xss.com.ar I don´t like this..., but i think this is the only way to accelerate the patch. The messagesthread... -----Original Message----- From: OTERO Hernan Gustavo EDS Sent: Viernes, 14 de Marzo de 2003 04:58 p.m. To: 'PUB: Jensen Toma'; 'jlazou@activcard.com' Subject: RE: Technical Support Form Submission Do you have any advance in this particular issue...? I think we are in time to release this information... Regards, Hernán -----Original Message----- From: PUB: Jensen Toma [mailto:jtoma@activcard.com] Sent: Miércoles, 12 de Febrero de 2003 02:17 p.m. To: 'OTERO Hernan Gustavo EDS' Cc: Jean-Luc Azou Subject: RE: Technical Support Form Submission Hernan, I would suggest you coordinate with Jean-Luc Azou who is the Product Marketing Manager for Gold. He can get you more information for your publication and status on the next version of Gold. Regards, Jensen -----Original Message----- From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net] Sent: Wednesday, February 12, 2003 3:27 AM To: 'PUB: Jensen Toma' Subject: RE: Technical Support Form Submission Jensen, there is any news... can i publish this ?? Regards, -----Original Message----- From: PUB: Jensen Toma [mailto:jtoma@activcard.com] Sent: Viernes, 13 de Diciembre de 2002 06:09 p.m. To: 'OTERO Hernan Gustavo EDS' Subject: RE: Technical Support Form Submission No firm date yet, but currently targetted for late Q1/early Q2 of next year. -----Original Message----- From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net] Sent: Friday, December 13, 2002 12:33 PM To: 'PUB: Jensen Toma' Subject: RE: Technical Support Form Submission Jensen, When you expect to release the next version of ActivCard ?? Regards, Hernán Otero -----Original Message----- From: PUB: Jensen Toma [mailto:jtoma@activcard.com] Sent: Miércoles, 11 de Diciembre de 2002 09:41 p.m. To: 'OTERO Hernan Gustavo EDS' Subject: RE: Technical Support Form Submission Hernan, Here is the answer from our Product Manager about this issue: The problem found relates to accessing static passwords stored (for performance) in a memory cache by ActivCard Gold. ActivCard recognizes the seriousness of this problem, and will fix it in the next version of the product - ActivCard is currently working on a mechanism that will prevent a memory dump to access any kind of personal data. Note that this problem is only applicable to static passwords. PKI private keys and Dynamic Password keys are always stored securely on the card and never loaded on the PC. Also note that this problem only happens after the user has accessed the card with his PIN, and while the user is still using the card. As soon as the user removes the card and logs out of his session, the cache is cleared and the static passwords cannot be accessed anymore. Regards, Jensen Toma -----Original Message----- From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net] Sent: Tuesday, December 10, 2002 6:55 AM To: 'PUB: Jensen Toma' Subject: RE: Technical Support Form Submission Could you reproduce the problem? Hernán Otero -----Original Message----- From: OTERO Hernan Gustavo EDS Sent: Lunes, 09 de Diciembre de 2002 11:51 a.m. To: 'PUB: Jensen Toma' Subject: RE: Technical Support Form Submission I will try to collect more information to you, by now I send some answers to your questions. 1) I´m using version ActivCard (R) Gold 2.2 (BN39) October 11th, 2002 2) The smart card type 16k ( What other info you need ? ) 3) I´m not working in any way with the DoD. 4) I need to take an extra care in the dump of the memory because I cannot send any private information. This can take some extra time...But if you want to reproduce the test. Add some static password to your card, then only put your card pin ( without using any of the static passwords ) and using pmdump dump the memory of scardsrv process and you will see the users and passwords in the memory dump. Thanks, Hernán Otero -----Original Message----- From: PUB: Jensen Toma [mailto:jtoma@activcard.com] Sent: Jueves, 05 de Diciembre de 2002 04:58 p.m. To: 'bazhgo@techint.net' Subject: RE: Technical Support Form Submission Hernan, Thank you for informing us of this. I have a few questions for you which will help me to diagnose and work on this issue: 1) What version of ActivCard Gold are you using? This information can be found in the readme.txt in the installation package or in c:\program files\activcard\activcard gold\docs. 2) What type of smart card are you using? 3) Is this in any way related to the DOD project? If so, is this related to RAPIDS? 4) Could you provide me a copy of the dump and/or the analysis of the dump? All of these items will be useful in helping us to analyze the situation. Best Regards, Jensen Toma Regional Manager of Support direct: 510.745.6254 jtoma@activcard.com -----Original Message----- From: support@activcard.com [mailto:support@activcard.com] Sent: Thursday, December 05, 2002 9:18 AM To: supportweb@activcard.com Subject: Technical Support Form Submission technicalsupportformdata first:Hernan last:Otero email:[email:bazhgo@techint.net] url: phone:05411-XXXX-XXXX fax: company:XXXXXXX Argentina title:Security Analyst country:AR contact: problem:Making a memory dump of the proccess scardsrv I found all the statics users and passwords stored in the card in plain text. This is a security flaw. ¿Can you tell me if it can be repaired and when? All the test was made in Windows XP with SCM Microsystems SCR201 Smart Card Reader and ActivCard Gold I will do a report, then in a cordinated release with your patch our upgrade I will send this report to bugtraq. products: server:Windows 2000 server_service_pack: other_server: workstation:Other workstation_service_pack: win_98_version: win_95_version: other_workstation:XP message: operational:yes production: demonstration: system_down: evaluation: different_card: different_token: different_workstation: duplicated: different_server: reinstalled: resolved: business_operations: other_products: reseller:
