[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Simple password obfuscation in Enterprise Architect

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Simple password obfuscation in Enterprise Architect
From: "Diening, Holm" <holm.diening@xxxxxxxxxx>
Date: Wed, 13 Feb 2013 18:14:25 +0100

Subject
=======
Simple password obfuscation in Sparx Systems "Enterprise Architect" when using 
server based repositories

Affected product
================
Product: Enterprise Architect
Vendor: Sparx Systems

Affected versions
=================
Tested with 9.3.931 Corporate, other versions likely to be affected too.

Description
===========
When using server based repositories in Enterprise Architect the user account 
information is stored in the database table t_secuser. The column "Password" 
contains the user password in an obfuscated format. The content is simply the 
user password XOR'ed with the ASCII code of 'E17030402158'. Hence everyone with 
access to the database (which is in general every user with access to the 
repository) is able to decode the passwords of all other users.

Impact
======
Disclosure of user passwords.

Possible mitigating factors
===========================
Beginning with version 7.1 Enterprise Architect offers a feature where project 
owners can provide users with a shortcut to the project that contains the 
database connection string in an encrypted format. This should avoid the need 
to reveal database access credentials to end users. 

Conclusion
==========
Everyone with access to the database containing the repository is able to 
decode the passwords of all users. Irrespective of the fact that ordinary end 
users may be detained from gaining access to the database using the "Encrypt 
Connection String" feature, at least SQL admins may still read the t_secuser 
table and are therefore able decode the passwords. 

Chronology
==========
Vendor informed: 2013/01/28
Vendor reminded: 2013/02/06
Vender response: 2013/02/07

Summary of vendor response: 
- "We are aware of these limitations"
- "No fixes are scheduled at this time."

Released to public: 2013/02/12

Reported by
===========
Holm Diening
Dept. Privacy and Information Security

E-Mail: holm.diening[at]gematik[dot]de

gematik
Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH 
Friedrichstraße 136
10117 Berlin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Sonicwall OEM Scrutinizer v9.5.2 - Multiple Web Vulnerabilities
Next by Date: [Full-disclosure] [SECURITY] [DSA 2621-1] openssl security update
Previous by thread: [Full-disclosure] Sonicwall OEM Scrutinizer v9.5.2 - Multiple Web Vulnerabilities
Next by thread: [Full-disclosure] [SECURITY] [DSA 2621-1] openssl security update
Index(es):
- Date
- Thread