[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] "Dell Data Protection | Access" for Windows contains and installs outdated, superfluous and vulnerable system components and 3rd party components/drivers

To: Stefan Kanthak <stefan.kanthak@xxxxxxxx>
Subject: Re: [Full-disclosure] "Dell Data Protection | Access" for Windows contains and installs outdated, superfluous and vulnerable system components and 3rd party components/drivers
From: Jeffrey Walton <noloader@xxxxxxxxx>
Date: Tue, 25 Sep 2012 12:50:23 -0400

> Timeline
> ~~~~~~~~
> 2012-08-24    informed vendor support
> 2012-09-24    no reaction/reply from vendor support, report published
Dell security is a joke. In the past, I even tried to call support
when emails went unanswered. The call center responded by dropping the
call (three times).

On Mon, Sep 24, 2012 at 5:57 AM, Stefan Kanthak <stefan.kanthak@xxxxxxxx> wrote:
> Hi @ll
>
> the current version of Dell's Data Protection | Access (DDPA) software for
> Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains
> and installs several outdated, superfluous and vulnerable Windows system
> components as well as outdated and vulnerable 3rd party components and 
> drivers.
>
> <http://www.dell.com/support/drivers/uk/en/ukdhs1/DriverDetails?driverId=KPCWG>
>
> >From the readme.txt:
>
> | Dell Data Protection | Access (DDP|A) is an integrated end point security
> | management suite, providing for seamless data security and authentication.
> | It allows you to authenticate using a fingerprint, smartcard, contactless
> | smartcard or password. Pre-Windows can be configured to unlock 
> self-encrypting
> | drives upon authentication.
>
>
> The outdated, superfluous and vulnerable components (incomplete):
>
> #1. "Microsoft MSXML Parser.msi"    version 6.0 from 2005-09-09
>
>      All versions of Windows supported by DDP|A include a newer version
>      of MSXML 6.0, the latest update/security fix cf.
>      <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>
>
>
> #2. "Microsoft Root Certificate Update October 2010\rootsupd.exe"
>
>     The current Microsoft root certificate update is from April 2012,
>     cf. <http://support.microsoft.com/kb/931125>
>
>
> #3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe"
>                                      version 9.0.30729.17 from 2008-08-08
>
>     For the current Microsoft Visual C++ 2008 Redistributable Package
>     cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>
>
>
> #4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys"
>                                      version 5.2.3790.2444 from 2005-05-17
>
>     The installer package for DDP|A but includes the hotfix
>     "WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of
>     this driver: 5.2.3790.4476, 2009-03-17
>
>
> #5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi"
>                                      version 8.4.4.39 from 2012-02-02
>
>     Cf. 
> <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>
>
>
> #6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi"
>                                      version 5.9.4.6685 from 2010-09-15
>
>     Cf. 
> <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>
>
>     This driver package contains parts of OpenSSL (no version specified),
>     it installs a textfile "OpenSSL license" from 2006-06-14!
>     So: add OpenSSL to the list of vulnerable components too.
>
>
> #7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi"
>                                       version 5.9.4.6901 from 2010-??-??
>
>     This package contains a vulnerable MSVCRT+ 2005 runtime (version
>     8.0.50727.762)
>
>     Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>
>
>     This driver package contains parts of OpenSSL (no version specified),
>     it installs a textfile "OpenSSL license" from 2006-06-14!
>     So: add OpenSSL to the list of vulnerable components too.
>
>
> #8. "Preboot Manager.msi"             version 03.02.00.119 from 2011-12-06
>                                       by Wave Systems Corp.
>
>     This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0
>     from 2003-04-18).
>     Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>
>
>     This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13)
>     from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL.
>     So: yet another component with vulnerable OpenSSL code.
>
>     JFTR: no textfile with the "OpenSSL license" included here.
>
>
> #9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi"
>                                       version 1.2.1.37 from 2011-10-08
>                                       by NTRU CryptoSystems Inc.
>
>     This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1
>     from 2010-03-18), cf.
>     <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>
>
>
> ... and more (I stopped counting)!
>
>
> Dell Inc.: Don't you have any QA? Can't afford one?
> UPEK Inc.: Don't you have any QA? Can't afford one?
> Wave Corp.: Don't you have any QA? Can't afford one?
> NTRU Inc.: Don't you have any QA? Can't afford one?
>
> What about just a little bit of serious software engineering and due
> diligence in your development, build and production processes?
>
> It's a stupid idea to build security software from vulnerable components!
>
>
> Stefan Kanthak
>
>
> Timeline
> ~~~~~~~~
>
> 2012-08-24    informed vendor support
>
> 2012-09-24    no reaction/reply from vendor support, report published
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> The information transmitted in this message and its attachments (if any) is 
> intended only for the person or entity to which it is addressed.
>
> The message may contain confidential and/or privileged material. Any review, 
> retransmission, dissemination or other use of, or taking of any action in 
> reliance upon this information, by persons or entities other than the 
> intended recipient is prohibited.
>
> If you have received this in error, please contact the sender and delete this 
> e-mail and associated material from any computer.
>
> The intended recipient of this e-mail may only use, reproduce, disclose or 
> distribute the information contained in this e-mail and any attached files, 
> with the permission of the sender.
>
> This message has been scanned for viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] "Dell Data Protection | Access" for Windows contains and installs outdated, superfluous and vulnerable system components and 3rd party components/drivers
  - From: Stefan Kanthak

Prev by Date: [Full-disclosure] [Announcement] CHMag - Call for Articles
Next by Date: Re: [Full-disclosure] [SE-2012-01] Critical security issue affecting Java SE 5/6/7
Previous by thread: [Full-disclosure] "Dell Data Protection | Access" for Windows contains and installs outdated, superfluous and vulnerable system components and 3rd party components/drivers
Next by thread: [Full-disclosure] giochionline.ilgiornale.it is vulnerable to base64 xss
Index(es):
- Date
- Thread