Meridian Prolog Manager uses weak authentication to store and transmit user credentials

2007-12-17T00:00:00
ID VU:120593
Type cert
Reporter CERT
Modified 2007-12-19T00:00:00

Description

Overview

Meridian Systems Prolog Manager does not use strong encryption and returns a list of all user credentials when authenticating clients. These behaviors could allow an attacker to obtain user credentials and decrypt passwords.

Description

Meridian Systems Prolog Manager is a set of construction project management tools that are designed to interface with a Microsoft SQL Server.

Prolog Manager administrators can choose to use one of the following methods to encrypt the passwords:

* no encryption 
* standard encryption 
* enhanced encryption

By default, no encrytion is selected, and Prolog Manager does not use sufficiently strong encryption when standard encryption or enhanced encryption are selected. In addition, when a client logs into Prolog Manager, the authentication credentials of all users in the system are returned to the client. An attacker could obtain credentials by sniffing network traffic or by sending an invalid login request to the Prolog Manager server and capturing the response. The attacker may then be able to decrypt passwords offline.


Impact

An attacker who can intercept network traffic or send an invalid loin request can obtain authentication credentials and decrypt passwords.


Solution

We are currently unaware of a practical solution to this problem.


Use database and network encryption

* Enabling the `enhanced encryption` option may increase the effort required for an attacker to decrpt passwords. See the Meridian [November 2004 Product Tip](<http://www.meridiansystems.com/newsevents/newsletter/Newsletter_November_04_tip.htm>) for more information about enabling encryption. 
* Using an encrypted VPN or similar technology when accessing the Prolog Manager server may prevent an attacker from sniffing network traffic.

Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Meridian Systems| | 27 Sep 2007| 19 Dec 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.meridiansystems.com/products/prolog/PM/projectmanagementtools.asp>
  • <http://www.meridiansystems.com/newsevents/newsletter/Newsletter_November_04_tip.htm>
  • <http://www.securityfocus.com/archive/1/484886/30/0/threaded>
  • <http://www.microsoft.com/protect/yourself/password/create.mspx>
  • <http://secunia.com/advisories/28065/>

Credit

Information about this vulnerability was posted on the bugtraq mailing list.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2007-6330
  • Date Public: 11 Dec 2007
  • Date First Published: 17 Dec 2007
  • Date Last Updated: 19 Dec 2007
  • Severity Metric: 1.77
  • Document Revision: 28