Vulnerablity Type / Importance: User Enumeration / Medium
Problem discovered: Fri, 31 Jan 2003
Vendor contacted: Mon, 3 Feb 2003
Advisory published: March 20th 2003
Abstract:
Safe boot PC security allows the discovery (by trial and error) of valid user account names by distinguishing between bad login names and bad passwords.
Description:
Safeboot (www.safeboot.com) is a software product to prevent access to a PCs hard disk drive. This protection takes two forms:
1) Pre-Boot user authentication
2) Hard Disk Encryption.
It is with the former that IRM identified a vulnerability.
Whilst safeboot supports a number of hardware-based tokens to provide user authentication, without these it relies on Username and Password Authentication.
When a user has entered a bad username or password, Safeboot will produce an error, specifically stating which of the credentials (username or password) is incorrect. By leaving the password blank, or entering anything, an attacker could use trial and error to establish valid usernames for this or other related systems, before proceding to attempt discovery of the associated password.
Tested Versions:
Safeboot 4.1 (current version)
(The authors were not able to obtain any previous versions, but understand these would be equally affected)
Tested Operating Systems:
Windows XP SP1
Vendor & Patch Information:
The vendor of this product, Control Break International, was contacted. They were receptive to our report and produced a statement reproduced here:
"Control Break International is aware of IRM's findings. We have not considered enumeration of the user list sensitive information up to now, as real-world user ID's are often trivial combinations of first name, last name, and initials, and are usually easily guessable through social engineering. With the popularity of directory systems such as AD and Novell, user id's are increasingly similar to e-mail addresses, yielding them even simpler to determine. We are however sensitive to customer concerns, so for those who would like to redefine the error messages reported for incorrect user id and password information, we can make available replacement error message files accordingly".
These error message files are not available for public download, but users of Safeboot can obtain it by contacting Control Break via their Website.
Workarounds:
See Vendor and Patch Information.
Credits:
Initial vulnerability discovery: C Crute
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.