Security Advisory 06 – 005 – P-Synch permits username enumeration
M-Tech P-Synch Password Management Software
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
The vulnerability was found and verified against a system running on a Windows 2000 platform.
We identified that the application permits username enumeration.
The Test Team observed that, as an unauthenticated user, it was possible to enumerate usernames through the web application. This could be used to identify users with additional privileges for further attacks. Portcullis recommend that the authentication provided by the application provides a mechanism whereby it is not possible to determine the validity of any portion of the authentication details provided by the remote user.
To achieve this, Portcullis suggest that the following process be adopted by the application:
1. prompt for user name;
2. ask for either domain password, or provide a link to Q&A page;
3. present questions to user;
4. on submission of either password or Q&A answers, the application should then return either authentication failed or successful
By following this process, no indication of which part of the authentication was provided incorrectly should be supplied to the user.
It may be the case that this issue is considered acceptable risk in most implementations, as it’s likely that a typical deployment is available only to users on an network internal to the company. Where the P-Synch is deployed in an internet facing environment, this issue becomes more of a concern.
Notified via email 17 February 2006
This is default behavior, and is a conscious compromise between user friendliness and security. It is certainly more user friendly to explain to a user what he did wrong i.e. type an invalid login ID or provide incorrect authentication data. Clearly, by doing that, P-Synch enables attackers to figure out that a given login ID is valid (enumeration). In most organizations, login IDs are public knowledge, and can be enumerated by various means by unauthenticated users, so there is no incremental exposure, hence the default setting in favour of usability over security.
For more security-conscious organizations, and in Internet-facing deployments, the default behaviour is not appropriate. P-Synch can be configured to prevent user ID enumeration (essentially accepting invalid user ID choices and simply complaining about failed authentication) by its administrator. Should the customer wish to change this configuration, they should contact M-Tech technical support, or consult the product manual, to learn how.