__________________________________________________________
	
						   The U.S. Department of Energy
					   Computer Incident Advisory Capability
							   ___  __ __    _     ___
							  /       |     /_\   /
							  \___  __|__  /   \  \___
				 __________________________________________________________
	
								 INFORMATION BULLETIN
	
			NeoScale Systems CryptoStor 700 Series Appliances Vulnerability
						   [US-CERT Vulnerability VU#339004]
	
	December 19, 2006 19:00 GMT                                       Number R-083
	______________________________________________________________________________
	PROBLEM:       An attacker with knowledge of only the username and password 
				   for the administration contols can gain administrative access 
				   to the CryptoStor unit. 
	PLATFORM:      CryptoStor Tape 700 Series Firmware version before 2.6 
	DAMAGE:        An attacker with knowledge of only the username and password 
				   for the administrative console can gain administrative access 
				   by using a browser with ActiveX disabled. This would allow an 
				   attacker to add, change, or delete encryption rules and keys, 
				   establish cluster members, export keys for archival, and more. 
	SOLUTION:      Upgrade to version 2.6 CryptoStor Tape 700 Series Firmware. 
	______________________________________________________________________________
	VULNERABILITY  The risk is MEDIUM. administrative console can gain 
	ASSESSMENT:    administrative access by using a browser with ActiveX disabled. 
				   This would allow an attacker to add, change, or delete 
				   encryption rules and keys, establish cluster members, export 
				   keys for archival, and more. 
	______________________________________________________________________________
	LINKS: 
	 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/r-083.shtml 
	 ORIGINAL BULLETIN:  US-CERT Vulnerability Note VU#339004
						 http://www.kb.cert.org/vuls/id/339004 
	 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
						 CVE-2006-3896 
	______________________________________________________________________________
	[***** Start US-CERT Vulnerability VU#339004 *****]
	
	
	
	Vulnerability Note VU#339004
	
	
	NeoScale Systems CryptoStor 700 series appliances fail to properly perform 
	two-factor authentication
	
	
	Overview
	
	NeoScale Systems CryptoStor 700 series appliances fail to properly perform 
	two-factor authentication. This can make it easier to bypass the CryptoStor 
	authentication process. 
	
	
	I. Description
	NeoScale Systems CryptoStor Tape units are tape backup encryption appliances. 
	CryptoStor 700 series units provide two-factor authentication for administration 
	functions. This is accomplished with a smartcard token plus a username and 
	password combination. 
	
	The smartcard aspect of the two-factor authentication is performed on the client 
	side within the web browser, using ActiveX and script. Disabling ActiveX can 
	bypass this part of the two-factor authentication. 
	
	
	II. Impact
	
	An attacker with knowledge of only the username and password for the 
	administration console can gain administrative access to the CryptoStor unit. 
	This would allow an attacker to add, change, or delete encryption rules and keys, 
	establish cluster members, export keys for archival, and more. 
	
	
	III. Solution
	
	Apply an update 
	
	This issue is addressed in the 2.6 version of the CryptoStor Tape 700 Series 
	firmware. According to NeoScale, this version of the firmware makes the following 
	changes:
	
	
	a) changing the CryptoStor ActiveX component to not perform the actual 
	authentication only to report on its success or failure. The CryptoStor ActiveX 
	component version number was also changed.
	
	b) changes to the cgi-bin program within the CryptoStor Appliance to perform the 
	actual authentication. The cgi-bin program was also modified to not work with the 
	original version of the CryptoStor ActiveX component
	
	c) implementation of a Thawte certificate for the CryptoStor ActiveX component
	
	
	Systems Affected
	Vendor Status Date Updated 
	NeoScale Systems, Inc. Vulnerable 18-Dec-2006 
	
	References
	
	http://www.neoscale.com/English/Products/CryptoStor_Tape.html 
	
	Credit
	
	This document was written by Will Dormann. 
	
	Other Information
	Date Public 12/18/2006 
	Date First Published 12/18/2006 05:13:18 PM 
	Date Last Updated 12/18/2006 
	CERT Advisory   
	CVE Name CVE-2006-3896 
	Metric 0.64 
	Document Revision 10 
	
	
	[***** End US-CERT Vulnerability VU#339004 *****]
	_______________________________________________________________________________
	
	CIAC wishes to acknowledge the contributions of US-CERT for the 
	information contained in this bulletin.
	_______________________________________________________________________________
	
	
	CIAC, the Computer Incident Advisory Capability, is the computer
	security incident response team for the U.S. Department of Energy
	(DOE) and the emergency backup response team for the National
	Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
	National Laboratory in Livermore, California. CIAC is also a founding
	member of FIRST, the Forum of Incident Response and Security Teams, a
	global organization established to foster cooperation and coordination
	among computer security teams worldwide.
	
	CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
	can be contacted at:
		Voice:    +1 925-422-8193 (7x24)
		FAX:      +1 925-423-8002
		STU-III:  +1 925-423-2604
		E-mail:   ciac@ciac.org
	
	Previous CIAC notices, anti-virus software, and other information are
	available from the CIAC Computer Security Archive.
	
	   World Wide Web:      http://www.ciac.org/
	   Anonymous FTP:       ftp.ciac.org
	
	PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
	communities receive CIAC bulletins.  If you are not part of these
	communities, please contact your agency's response team to report
	incidents. Your agency's team will coordinate with CIAC. The Forum of
	Incident Response and Security Teams (FIRST) is a world-wide
	organization. A list of FIRST member organizations and their
	constituencies can be obtained via WWW at http://www.first.org/.
	
	This document was prepared as an account of work sponsored by an
	agency of the United States Government. Neither the United States
	Government nor the University of California nor any of their
	employees, makes any warranty, express or implied, or assumes any
	legal liability or responsibility for the accuracy, completeness, or
	usefulness of any information, apparatus, product, or process
	disclosed, or represents that its use would not infringe privately
	owned rights. Reference herein to any specific commercial products,
	process, or service by trade name, trademark, manufacturer, or
	otherwise, does not necessarily constitute or imply its endorsement,
	recommendation or favoring by the United States Government or the
	University of California. The views and opinions of authors expressed
	herein do not necessarily state or reflect those of the United States
	Government or the University of California, and shall not be used for
	advertising or product endorsement purposes.
	
	LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
	
	R-073: Vulnerability in SNMP (926247)
	R-074: Cumulative Security Update for Internet Explorer (925454)
	R-075: Vulnerability in Visual Studio 2005 (925674)
	R-076: Vulnerability in Windows Media Format (923689)
	R-077: Vulnerability in Windows (926255)
	R-078: Cumulative Security Update for Outlook Express (923694)
	R-079: Vulnerability in Remote Installation Service (926121)
	R-080: Symantec Veritas NetBackup
	R-081: GNOME Foundation Display Manager gdmchooser
	R-082: Clamav