[NT]McAfee SafeBoot Device Encryption Plain Text Password Disclosure



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



McAfee SafeBoot Device Encryption Plain Text Password Disclosure
------------------------------------------------------------------------


SUMMARY

The password checking routine of SafeBoot Device Encryption fails to
sanitize the BIOS keyboard buffer after reading passwords, resulting in
plain text password leakage to unprivileged local users.

DETAILS

Vulnerable Systems:
* SafeBoot Device Encryption version 4 Build 4750 and below

Immune Systems:
* SafeBoot Device Encryption version 4 Build 4760 and above
* SafeBoot Device Encryption version 5.x

SafeBoot's pre-boot authentication routines use the BIOS API to read user
input via the keyboard. The BIOS internally copies the keystrokes in a RAM
structure called the BIOS Keyboard buffer inside the BIOS Data Area. This
buffer is not flushed after use, resulting in potential plain text
password leakage once the OS is fully booted, assuming the attacker can
read the password at physical memory location 0x40:0x1e.

Impact:
Plain text password disclosure. Local guest access is required, but no
physical access to the machine.

Vendor response:
"SafeBoot Device Encryption v4, Build 4750 and below are subject to this
vulnerability. Builds 4760 and above are not. Customers should upgrade to
the current version of SafeBoot Device Encryption v4, or migrate to the
current McAfee Endpoint Encryption for PC v5 platform which replaced the
earlier product in March 2007."


ADDITIONAL INFORMATION

The information has been provided by Jonathan Brossard.
The original article can be found at:
<http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html>
http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] DriveCrypt Security Model Bypass and Incorrect BIOS API Usage
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... DriveCrypt Security Model Bypass and Incorrect BIOS API Usage ... a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. ... keyboard buffer in spite of the full disk encryption. ...
    (Securiteam)
  • [NEWS] Intel BIOS Plain Text Password Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Intel BIOS Plain Text Password Disclosure ... The password checking routine of Intel's BIOS fails to sanitize the BIOS ... structure called the BIOS Keyboard buffer inside the BIOS Data Area. ...
    (Securiteam)