ISS X-Force Database: dameware-encryption-key-plaintext(15586): DameWare Mini Remote Control transmits encryption key in plain text

DameWare Mini Remote Control transmits encryption key in plain text

dameware-encryption-key-plaintext (15586)

Medium Risk

Description:

DameWare Mini Remote Control could allow a remote attacker to obtain sensitive information. DameWare Mini Remote Control transmits the Blowfish encryption key in plain text. A remote attacker using a network sniffing tool could sniff traffic and recover sensitive information.

Platforms Affected:

DameWare, DameWare Mini Remote Control 4.1.0.0

Remedy:

DameWare 3.x users should download and install version 3.74. DameWare 4.x users download and install version 4.2 or above. Downloads are available at the DameWare Products Development Web site. See References.

Consequences:

Obtain Information

References:

DameWare Products Development Web site, DameWare Development Downloads at http://www.dameware.com/download/.
DameWare Security Bulletin #3, DameWare Mini Remote Control Encryption Key issues resolved with the release of versions 3.74 & 4.2 at http://www.dameware.com/support/security/bulletin.asp?ID=SB3.
Full-Disclosure Mailing List, Tue Mar 23 2004 - 14:00:19 CST, Dameware Passes Weak File Encryption Key in the Clear at http://archives.neohapsis.com/archives/fulldisclosure/2004-03/1139.html.
BID-9909: DameWare Mini Remote Control Server Weak Encryption Implementation Vulnerability
BID-9959: DameWare Mini Remote Control Server Clear Text Encryption Key Disclosure Vulnerability
CVE-2004-1852: DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transmits the Blowfish encryption key in plaintext, which allows remote attackers to gain sensitive information.
SA11205: DameWare Products Weak Encryption Implementation
SECTRACK ID: 1009557: Dameware Mini Remote Control Sends a File Encryption Key as Clear Text

Reported:

Mar 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page