NOVL-2005010098073 GroupWise Password Caching

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For Immediate Disclosure

============================== Summary ==============================

Security Alert: NOVL-2005-10098073
Title: GroupWise Password Caching
Date: 16-August-2005
Revision: Original
Product Name: GroupWise 5.x, 6.x
OS/Platform(s): Windows and NetWare
Reference URL: http://support.novell.com/servlet/tidfinder/10098073
Vendor Name: Novell, Inc.
Vendor URL: http://www.novell.com
Security Alerts: http://support.novell.com/security-alerts
Affects: GroupWise Windows Clients & Proxies
Identifiers: Bugtraq:13997, CVE:CAN-2005-2620, SECTRACK:1014247
Credits: [email protected]

============================ Description ============================

The GroupWise client sometimes caches the user name and password in
memory while it is running.

============================== Impact ===============================

A hostile user with administrative access to the machine where a user
is logged in may dump memory and find username/password pairs of
logged in users.

======================== Recommended Actions ========================
GW 7 was released with these fixes already applied, so no further
action is required for GroupWise 7 users.

Until the official release of GroupWise 6.5 SP5 in mid-September,
customers wishing to apply Field Test Files (FTF) can download these
from http://support.novell.com/filefinder/ and locate the latest
GroupWise Agents and GroupWise Client FTFs. Currently as of
August 16, 2005 the filenames are fgw655h.exe for Agents and
f32655f7e.exe for GW Client. Both, FTFs will need to be applied
to get the full fix.

See detailed instructions in the referenced Technical Information
Document (TID): http://support.novell.com/servlet/tidfinder/10098073

============================ DISCLAIMER =============================

The content of this document is believed to be accurate at the time
of publishing based on currently available information. However, the
information is provided "AS IS" without any warranty or
representation. Your use of the document constitutes acceptance of
this disclaimer. Novell disclaims all warranties, express or
implied, regarding this document, including the warranties of
merchantability and fitness for a particular purpose. Novell is not
liable for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this document or any security
alert, even if Novell has been advised of the possibility of such
damages and even if such damages are foreseeable.

============================ Appendices =============================

None

================ Contacting Novell Security Alerts ==================

To report suspected security vulnerabilities in Novell products,
send email to
[email protected]

PGP users may send signed/encrypted information to us using our
PGP key, available from the our website at:

        http://support.novell.com/security-alerts

Novell Security Alerts, Novell, Inc. PGP Key Fingerprint:

3C6B 3F26 4E34 1ADF E27B D6C4 1AC8 9184 34D1 9739

========================= Revision History ==========================
Original: 16-Aug-2005 - Original Publication

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDA4GUGsiRhDTRlzkRAhDnAKCrwSIzonYqwbKjxmsm+CSlvwsqiwCg+Qdn
gK8fuk3uLS6wUY1S97pV36E=
=U6IQ
-----END PGP SIGNATURE-----