Portcullis Security Advisory No. 06-005

Vulnerable System:

M-Tech P-Synch Password Management Software

Version: 6.2.8

Other versions: Unknown.

Vulnerability Title:

P-Synch permits username enumeration

Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.

Affected systems:

The vulnerability was found and verified against a system running on a Windows 2000 platform.

Vulnerability Details:

We identified that the application permits username enumeration.

The Test Team observed that, as an unauthenticated user, it was possible

to enumerate usernames through the web application. This could be used

to identify users with additional privileges for further attacks.

Portcullis recommend that the authentication provided by the application

provides a mechanism whereby it is not possible to determine the

validity of any portion of the authencation details provided by the

remote user.

To achieve this, Portcullis suggest that the following process be

adopted by the application:

1. prompt for user name;

2. ask for either domain password, or provide a link to Q&A page;

3. present questions to user;

4. on submission of either password or Q&A answers, the application

should then return either authentication failed or successful

By following this process, no indication of which part of the

authentication was provided incorrectly should be supplied to the user

Impact:

It may be the case that this issue is considered acceptable risk in most

implementations, as it's likely that a typical deployment is available

only to users on an network internal to the company. Where the P-Synch

is deployed in an internet facing environment, this issue becomes more

of a concern.

Exploit:

None required

Vendor Status:

Notified via email 17 February 2006

Vendor Response:

This is default behavior, and is a conscious compromise between user friendliness and security. It is certainly more user friendly to explain to a user what he did wrong i.e. type an invalid login ID or provide incorrect authentication data. Clearly, by doing that, P-Synch enables attackers to figure out that a given login ID is valid (enumeration). In most organizations, login IDs are public knowledge, and can be enumerated by various means by unauthenticated users, so there is no incremental exposure, hence the default setting in favour of usability over security.

For more security-conscious organizations, and in Internet-facing deployments, the default behaviour is not appropriate. P-Synch can be configured to prevent user ID enumeration (essentially accepting invalid user

ID choices and simply complaining about failed authentication) by its administrator. Should the customer wish to change this configuration, they should contact M-Tech technical support, or consult the product manual, to learn how.

Disclosure Policy:

Portcullis' Disclosure Policy can be viewed here.

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.

Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.