nCipher ConsoleCallBack Class leaks smart card passphrases

ncipher-consolecallback-passphrase-leak (9354) The risk level is classified as MediumMedium Risk

Description:

The ConsoleCallBack Class is a console Java program developed by nCipher. A vulnerability regarding the incompatibility issue between the ConsoleCallBack Class and JRE (Java Runtime Environment) version 1.4.0 running on Windows NT/2000 could allow shell users to obtain smart card passphrases. When a user inputs the smart card passphrase using the console, the console becomes unresponsive. If the user terminates the process using CTRL-C, the command shell then receives the user's passphrase, which could possibly lead to potential leaks within the passphrases.


Consequences:

Obtain Information

Remedy:

No remedy available as of September 1, 2014.

References:

  • nCipher Security Advisory No. 4: Console Java applications can leak passphrases on Windows.
  • BID-5024: nCipher ConsoleCallBack Class With JRE 1.4.0 Smart Card Passphrase Leak Vulnerability
  • CVE-2002-0941: The ConsoleCallBack class for nCipher running under JRE 1.4.0 and 1.4.0_01, as used by the TrustedCodeTool and possibly other applications, may leak a passphrase when the user aborts an application that is prompting for the passphrase, which could allow attackers to gain privileges.
  • OSVDB ID: 14875: nCipher ConsoleCallBack Class Application Abort Passphrase Disclosure

Platforms Affected:

  • nCipher ConsoleCallBack Class
  • Sun JRE 1.4.0

Reported:

Jun 14, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page