OTERO Hernan Gustavo EDS
14/04/03, 20:05
In December of the 2002 I was analysing the ActivCard product for a client.
During the analysis I noticed that making a memory dump of the process
"scardsrv" was possible to obtain the users stored staticaly in the card.
This issue at first, could seem smaller, although in depth already it has a
very serious character, but deepening the analisis I found that even with
the card pulled out from the pc the users and passwords remained in memory.
This was reported properly to ActivCard (this can be reed in the mail thread
at next).
This was the answer
Here is the answer from our Product Manager about this issue:
The problem found relates to accessing static passwords stored (for
performance) in a memory cache by ActivCard Gold. ActivCard recognizes the
seriousness of this problem, and will fix it in the next version of the
product - ActivCard is currently working on a mechanism that will prevent a
memory dump to access any kind of personal data.
Note that this problem is only applicable to static passwords. PKI private
keys and Dynamic Password keys are always stored securely on the card and
never loaded on the PC.
Also note that this problem only happens after the user has accessed the
card with his PIN, and while the user is still using the card. As soon as
the user removes the card and logs out of his session, the cache is cleared
and the static passwords cannot be accessed anymore. (/****NOTE***** This is
not true, I do some test and even when pulled out the card the users and
pass remain in memory area******/)
Regards,
Jensen Toma
I have not recived any news or contact since february, I believe is
convenient to publish this "vulnerability" to accelerate the process of
correction.
Hernán Otero
http://www.xss.com.ar
I don´t like this..., but i think this is the only way to accelerate the
patch.
The messagesthread...
-----Original Message-----
From: OTERO Hernan Gustavo EDS
Sent: Viernes, 14 de Marzo de 2003 04:58 p.m.
To: 'PUB: Jensen Toma'; 'jlazou@activcard.com'
Subject: RE: Technical Support Form Submission
Do you have any advance in this particular issue...?
I think we are in time to release this information...
Regards,
Hernán
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Miércoles, 12 de Febrero de 2003 02:17 p.m.
To: 'OTERO Hernan Gustavo EDS'
Cc: Jean-Luc Azou
Subject: RE: Technical Support Form Submission
Hernan,
I would suggest you coordinate with Jean-Luc Azou who is the Product
Marketing Manager for Gold. He can get you more information for your
publication and status on the next version of Gold.
Regards,
Jensen
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Wednesday, February 12, 2003 3:27 AM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
Jensen,
there is any news... can i publish this ??
Regards,
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Viernes, 13 de Diciembre de 2002 06:09 p.m.
To: 'OTERO Hernan Gustavo EDS'
Subject: RE: Technical Support Form Submission
No firm date yet, but currently targetted for late Q1/early Q2 of next year.
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Friday, December 13, 2002 12:33 PM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
Jensen,
When you expect to release the next version of ActivCard ??
Regards,
Hernán Otero
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Miércoles, 11 de Diciembre de 2002 09:41 p.m.
To: 'OTERO Hernan Gustavo EDS'
Subject: RE: Technical Support Form Submission
Hernan,
Here is the answer from our Product Manager about this issue:
The problem found relates to accessing static passwords stored (for
performance) in a memory cache by ActivCard Gold. ActivCard recognizes the
seriousness of this problem, and will fix it in the next version of the
product - ActivCard is currently working on a mechanism that will prevent a
memory dump to access any kind of personal data.
Note that this problem is only applicable to static passwords. PKI private
keys and Dynamic Password keys are always stored securely on the card and
never loaded on the PC.
Also note that this problem only happens after the user has accessed the
card with his PIN, and while the user is still using the card. As soon as
the user removes the card and logs out of his session, the cache is cleared
and the static passwords cannot be accessed anymore.
Regards,
Jensen Toma
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Tuesday, December 10, 2002 6:55 AM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
Could you reproduce the problem?
Hernán Otero
-----Original Message-----
From: OTERO Hernan Gustavo EDS
Sent: Lunes, 09 de Diciembre de 2002 11:51 a.m.
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
I will try to collect more information to you, by now I send some answers to
your questions.
1) I´m using version ActivCard (R) Gold 2.2 (BN39) October 11th, 2002
2) The smart card type 16k ( What other info you need ? )
3) I´m not working in any way with the DoD.
4) I need to take an extra care in the dump of the memory because I cannot
send any private information. This can take some extra time...But if you
want to reproduce the test. Add some static password to your card, then
only put your card pin ( without using any of the static passwords ) and
using pmdump dump the memory of scardsrv process and you will see the users
and passwords in the memory dump.
Thanks,
Hernán Otero
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Jueves, 05 de Diciembre de 2002 04:58 p.m.
To: 'bazhgo@techint.net'
Subject: RE: Technical Support Form Submission
Hernan,
Thank you for informing us of this.
I have a few questions for you which will help me to diagnose and work on
this issue:
1) What version of ActivCard Gold are you using? This information can be
found in the readme.txt in the installation package or in c:\program
files\activcard\activcard gold\docs.
2) What type of smart card are you using?
3) Is this in any way related to the DOD project? If so, is this related to
RAPIDS?
4) Could you provide me a copy of the dump and/or the analysis of the dump?
All of these items will be useful in helping us to analyze the situation.
Best Regards,
Jensen Toma
Regional Manager of Support
direct: 510.745.6254
jtoma@activcard.com
-----Original Message-----
From: support@activcard.com [mailto:support@activcard.com]
Sent: Thursday, December 05, 2002 9:18 AM
To: supportweb@activcard.com
Subject: Technical Support Form Submission
technicalsupportformdata
first:Hernan
last:Otero
email:[email:bazhgo@techint.net]
url:
phone:05411-XXXX-XXXX
fax:
company:XXXXXXX Argentina
title:Security Analyst
country:AR
contact:
problem:Making a memory dump of the proccess scardsrv I found all the
statics users and passwords stored in the card in plain text. This is a
security flaw. ¿Can you tell me if it can be repaired and when? All the
test was made in Windows XP with SCM Microsystems SCR201 Smart Card Reader
and ActivCard Gold
I will do a report, then in a cordinated release with your patch our upgrade
I will send this report to bugtraq.
products:
server:Windows 2000
server_service_pack:
other_server:
workstation:Other
workstation_service_pack:
win_98_version:
win_95_version:
other_workstation:XP
message:
operational:yes
production:
demonstration:
system_down:
evaluation:
different_card:
different_token:
different_workstation:
duplicated:
different_server:
reinstalled:
resolved:
business_operations:
other_products:
reseller:
During the analysis I noticed that making a memory dump of the process
"scardsrv" was possible to obtain the users stored staticaly in the card.
This issue at first, could seem smaller, although in depth already it has a
very serious character, but deepening the analisis I found that even with
the card pulled out from the pc the users and passwords remained in memory.
This was reported properly to ActivCard (this can be reed in the mail thread
at next).
This was the answer
Here is the answer from our Product Manager about this issue:
The problem found relates to accessing static passwords stored (for
performance) in a memory cache by ActivCard Gold. ActivCard recognizes the
seriousness of this problem, and will fix it in the next version of the
product - ActivCard is currently working on a mechanism that will prevent a
memory dump to access any kind of personal data.
Note that this problem is only applicable to static passwords. PKI private
keys and Dynamic Password keys are always stored securely on the card and
never loaded on the PC.
Also note that this problem only happens after the user has accessed the
card with his PIN, and while the user is still using the card. As soon as
the user removes the card and logs out of his session, the cache is cleared
and the static passwords cannot be accessed anymore. (/****NOTE***** This is
not true, I do some test and even when pulled out the card the users and
pass remain in memory area******/)
Regards,
Jensen Toma
I have not recived any news or contact since february, I believe is
convenient to publish this "vulnerability" to accelerate the process of
correction.
Hernán Otero
http://www.xss.com.ar
I don´t like this..., but i think this is the only way to accelerate the
patch.
The messagesthread...
-----Original Message-----
From: OTERO Hernan Gustavo EDS
Sent: Viernes, 14 de Marzo de 2003 04:58 p.m.
To: 'PUB: Jensen Toma'; 'jlazou@activcard.com'
Subject: RE: Technical Support Form Submission
Do you have any advance in this particular issue...?
I think we are in time to release this information...
Regards,
Hernán
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Miércoles, 12 de Febrero de 2003 02:17 p.m.
To: 'OTERO Hernan Gustavo EDS'
Cc: Jean-Luc Azou
Subject: RE: Technical Support Form Submission
Hernan,
I would suggest you coordinate with Jean-Luc Azou who is the Product
Marketing Manager for Gold. He can get you more information for your
publication and status on the next version of Gold.
Regards,
Jensen
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Wednesday, February 12, 2003 3:27 AM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
Jensen,
there is any news... can i publish this ??
Regards,
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Viernes, 13 de Diciembre de 2002 06:09 p.m.
To: 'OTERO Hernan Gustavo EDS'
Subject: RE: Technical Support Form Submission
No firm date yet, but currently targetted for late Q1/early Q2 of next year.
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Friday, December 13, 2002 12:33 PM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
Jensen,
When you expect to release the next version of ActivCard ??
Regards,
Hernán Otero
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Miércoles, 11 de Diciembre de 2002 09:41 p.m.
To: 'OTERO Hernan Gustavo EDS'
Subject: RE: Technical Support Form Submission
Hernan,
Here is the answer from our Product Manager about this issue:
The problem found relates to accessing static passwords stored (for
performance) in a memory cache by ActivCard Gold. ActivCard recognizes the
seriousness of this problem, and will fix it in the next version of the
product - ActivCard is currently working on a mechanism that will prevent a
memory dump to access any kind of personal data.
Note that this problem is only applicable to static passwords. PKI private
keys and Dynamic Password keys are always stored securely on the card and
never loaded on the PC.
Also note that this problem only happens after the user has accessed the
card with his PIN, and while the user is still using the card. As soon as
the user removes the card and logs out of his session, the cache is cleared
and the static passwords cannot be accessed anymore.
Regards,
Jensen Toma
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Tuesday, December 10, 2002 6:55 AM
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
Could you reproduce the problem?
Hernán Otero
-----Original Message-----
From: OTERO Hernan Gustavo EDS
Sent: Lunes, 09 de Diciembre de 2002 11:51 a.m.
To: 'PUB: Jensen Toma'
Subject: RE: Technical Support Form Submission
I will try to collect more information to you, by now I send some answers to
your questions.
1) I´m using version ActivCard (R) Gold 2.2 (BN39) October 11th, 2002
2) The smart card type 16k ( What other info you need ? )
3) I´m not working in any way with the DoD.
4) I need to take an extra care in the dump of the memory because I cannot
send any private information. This can take some extra time...But if you
want to reproduce the test. Add some static password to your card, then
only put your card pin ( without using any of the static passwords ) and
using pmdump dump the memory of scardsrv process and you will see the users
and passwords in the memory dump.
Thanks,
Hernán Otero
-----Original Message-----
From: PUB: Jensen Toma [mailto:jtoma@activcard.com]
Sent: Jueves, 05 de Diciembre de 2002 04:58 p.m.
To: 'bazhgo@techint.net'
Subject: RE: Technical Support Form Submission
Hernan,
Thank you for informing us of this.
I have a few questions for you which will help me to diagnose and work on
this issue:
1) What version of ActivCard Gold are you using? This information can be
found in the readme.txt in the installation package or in c:\program
files\activcard\activcard gold\docs.
2) What type of smart card are you using?
3) Is this in any way related to the DOD project? If so, is this related to
RAPIDS?
4) Could you provide me a copy of the dump and/or the analysis of the dump?
All of these items will be useful in helping us to analyze the situation.
Best Regards,
Jensen Toma
Regional Manager of Support
direct: 510.745.6254
jtoma@activcard.com
-----Original Message-----
From: support@activcard.com [mailto:support@activcard.com]
Sent: Thursday, December 05, 2002 9:18 AM
To: supportweb@activcard.com
Subject: Technical Support Form Submission
technicalsupportformdata
first:Hernan
last:Otero
email:[email:bazhgo@techint.net]
url:
phone:05411-XXXX-XXXX
fax:
company:XXXXXXX Argentina
title:Security Analyst
country:AR
contact:
problem:Making a memory dump of the proccess scardsrv I found all the
statics users and passwords stored in the card in plain text. This is a
security flaw. ¿Can you tell me if it can be repaired and when? All the
test was made in Windows XP with SCM Microsystems SCR201 Smart Card Reader
and ActivCard Gold
I will do a report, then in a cordinated release with your patch our upgrade
I will send this report to bugtraq.
products:
server:Windows 2000
server_service_pack:
other_server:
workstation:Other
workstation_service_pack:
win_98_version:
win_95_version:
other_workstation:XP
message:
operational:yes
production:
demonstration:
system_down:
evaluation:
different_card:
different_token:
different_workstation:
duplicated:
different_server:
reinstalled:
resolved:
business_operations:
other_products:
reseller: