Identix BioLogon could allow attackers to bypass authentication
| identix-biologon-auth-bypass (6948) |  High Risk |
Description:
Identix BioLogon could allow a local attacker to bypass authentication mechanisms and gain unauthorized access to the host. If the BioLogon client is used for authentication on systems with multiple monitors, a local attacker can access the host from one of the virtual desktops to bypass the authentication mechanism and gain unauthorized access to the host.
Platforms Affected:
- Identix, Identix BioLogon Client 2.0
- Identix, Identix Biologon Client 2.3
Remedy:
The manufacturer recommends using Windows 2000 along with BioLogon for Windows 2000 when security is a concern and the combination of biometrics and multiple monitors are required.
Consequences:
Gain Access
References:
- Identix Software Web site, Software at http://www.identix.com/products/itsecurity/index.asp.
- NTBugTraq Mailing List, Thu, 2 Aug 2001 10:56:28 -0400, Identix BioLogon Client security bug at http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=IND0108&L=NTBUGTRAQ&F=P&S=&P=71.
- NTBugTraq Mailing List, Wed, 8 Aug 2001 15:49:41 -0700, Response to Identix BioLogon Client security bug at http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind0108&L=ntbugtraq&F=P&S=&P=724.
- BID-3140: Identix BioLogon Client Biometric Authentication Bypass Vulnerability
- CVE-2001-1116: Identix BioLogon 2.03 and earlier does not lock secondary displays on a multi-monitor system running Windows 98 or ME, which allows an attacker with physical access to the system to bypass authentication through a secondary display.
- OSVDB ID: 5453: Identix BioLogon Secondary Display Access Bypass
Reported:
Aug 02, 2001
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net