Meridian Systems Prolog Manager does not use strong encryption and returns a list of all user credentials when authenticating clients. These behaviors could allow an attacker to obtain user credentials and decrypt passwords.
Meridian Systems Prolog Manager is a set of construction project management tools that are designed to interface with a Microsoft SQL Server.
Prolog Manager administrators can choose to use one of the following methods to encrypt the passwords:
* no encryption * standard encryption * enhanced encryption
no encrytionis selected, and Prolog Manager does not use sufficiently strong encryption when
enhanced encryptionare selected. In addition, when a client logs into Prolog Manager, the authentication credentials of all users in the system are returned to the client. An attacker could obtain credentials by sniffing network traffic or by sending an invalid login request to the Prolog Manager server and capturing the response. The attacker may then be able to decrypt passwords offline.
An attacker who can intercept network traffic or send an invalid loin request can obtain authentication credentials and decrypt passwords.
We are currently unaware of a practical solution to this problem.
Use database and network encryption
* Enabling the `enhanced encryption` option may increase the effort required for an attacker to decrpt passwords. See the Meridian [November 2004 Product Tip](<http://www.meridiansystems.com/newsevents/newsletter/Newsletter_November_04_tip.htm>) for more information about enabling encryption. * Using an encrypted VPN or similar technology when accessing the Prolog Manager server may prevent an attacker from sniffing network traffic.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Notified: September 27, 2007 Updated: December 19, 2007
Created: December 14, 2007 Applies to: Prolog Manager (All versions)
This bulletin applies to any customer who currently uses any version of Meridian’s Prolog Manager product.
Meridian has become aware of a security vulnerability within Prolog Manager that could impact sections of the Prolog user community. This vulnerability concerns the method by which Prolog Manager handles password information.
There is a risk that password data could be intercepted and under certain circumstances a malicious internal user with cryptographic knowledge could determine the content of a user’s password.
It is important to note that this vulnerability would only allow password data to be intercepted by internal users with network access, and customers who have a correctly configured firewall in their environment remain protected from external threats.
Meridian recognizes that this security vulnerability must be addressed as a matter of urgency, and as such we are working towards resolving the problem as quickly as possible.
Who may be affected
This issue could affect all users of Prolog Manager who access the application over a network.
* Ensure that you are using Prolog’s 𠆎nhanced Encryption’ option, which requires the greatest level of cryptography knowledge to circumvent. * To use the 𠆎nhanced Encryption’ option in Prolog Manager, please do the following: * Under the Options tab of Security Manager, select the 'Use Enhanced Encryption' option, and then click the Save button to complete the operation. * Please note that once this option is selected, you will be unable to switch back to using Standard Encryption. * Ensure that your firewall is active and configured appropriately to protect your network infrastructure from attacks from external sources. * Ensure that all Prolog users are using a ‘robust’ password of no less than 8 characters consisting of a combination of letters (upper and lower case), numbers and special characters. (This will make it much more difficult for malicious users to determine the value of any password they managed to intercept).
Meridian has identified the following product enhancements which it will implement as soon as possible in order to rectify the way in which password data is currently handled in Prolog Manager:
The enhancements will also be included as part of our next major release, Prolog 2008, scheduled to be available in the first half of 2008.
Contacting Meridian Systems
If you require any further information on this issue, please contact Meridian Systems Support Services by using any of the following methods:
Fax: 916 294-2001
Telephone: 916 294-2100
Internet: <http://www.meridiansystems.com/services/support/index.asp> The Meridian Systems SupportLink includes a technical knowledge base, answers to frequently asked questions, technical documentation and a form to submit specific support requests 24 hours a day, 365 days a year.
Mail: Meridian Systems Attn: Support Services 1720 Prairie City Road, Suite 120 Folsom, CA 95630
THE INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MERIDIAN SYSTEMS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MERIDIAN SYSTEMS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MERIDIAN PROJECT SYSTEMS CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Did you find this document helpful? Send your comments to firstname.lastname@example.org.
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
Information about this vulnerability was posted on the bugtraq mailing list.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2007-6330
Severity Metric:** | 1.77
Date Public: | 2007-12-11
Date First Published: | 2007-12-17
Date Last Updated: | 2007-12-19 17:35 UTC
Document Revision: | 28