Tried, Tested and Proven

Security Advisory 06 – 005 – P-Synch permits username enumeration

Vulnerable System:

M-Tech P-Synch Password Management Software

Version:

6.2.8

Other versions:

Unknown

Vulnerability discovery and development:

Portcullis Security Testing Services discovered this vulnerability.

Affected Systems:

The vulnerability was found and verified against a system running on a Windows 2000 platform.

Details:

We identified that the application permits username enumeration.
The Test Team observed that, as an unauthenticated user, it was possible to enumerate usernames through the web application. This could be used to identify users with additional privileges for further attacks. Portcullis recommend that the authentication provided by the application provides a mechanism whereby it is not possible to determine the validity of any portion of the authentication details provided by the remote user.

To achieve this, Portcullis suggest that the following process be adopted by the application:

1. prompt for user name;

2. ask for either domain password, or provide a link to Q&A page;

3. present questions to user;

4. on submission of either password or Q&A answers, the application should then return either authentication failed or successful

By following this process, no indication of which part of the authentication was provided incorrectly should be supplied to the user.

Impact:

It may be the case that this issue is considered acceptable risk in most implementations, as it’s likely that a typical deployment is available only to users on an network internal to the company. Where the P-Synch is deployed in an internet facing environment, this issue becomes more of a concern.

Exploit:

None required

Vendor Status:

Notified via email 17 February 2006

Vendor Response:

This is default behavior, and is a conscious compromise between user friendliness and security. It is certainly more user friendly to explain to a user what he did wrong i.e. type an invalid login ID or provide incorrect authentication data. Clearly, by doing that, P-Synch enables attackers to figure out that a given login ID is valid (enumeration). In most organizations, login IDs are public knowledge, and can be enumerated by various means by unauthenticated users, so there is no incremental exposure, hence the default setting in favour of usability over security.

For more security-conscious organizations, and in Internet-facing deployments, the default behaviour is not appropriate. P-Synch can be configured to prevent user ID enumeration (essentially accepting invalid user ID choices and simply complaining about failed authentication) by its administrator. Should the customer wish to change this configuration, they should contact M-Tech technical support, or consult the product manual, to learn how.

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.