Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: "Dell Data Protection | Access" for Windows contains and installs outdated, superfluous and vulnerable system components and 3rd party components/drivers
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 25 Sep 2012 12:50:23 -0400

Timeline
~~~~~~~~
2012-08-24    informed vendor support
2012-09-24    no reaction/reply from vendor support, report published
Dell security is a joke. In the past, I even tried to call support
when emails went unanswered. The call center responded by dropping the
call (three times).

On Mon, Sep 24, 2012 at 5:57 AM, Stefan Kanthak <stefan.kanthak () nexgo de> wrote:
Hi @ll

the current version of Dell's Data Protection | Access (DDPA) software for
Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains
and installs several outdated, superfluous and vulnerable Windows system
components as well as outdated and vulnerable 3rd party components and drivers.

<http://www.dell.com/support/drivers/uk/en/ukdhs1/DriverDetails?driverId=KPCWG>

From the readme.txt:

| Dell Data Protection | Access (DDP|A) is an integrated end point security
| management suite, providing for seamless data security and authentication.
| It allows you to authenticate using a fingerprint, smartcard, contactless
| smartcard or password. Pre-Windows can be configured to unlock self-encrypting
| drives upon authentication.


The outdated, superfluous and vulnerable components (incomplete):

#1. "Microsoft MSXML Parser.msi"    version 6.0 from 2005-09-09

     All versions of Windows supported by DDP|A include a newer version
     of MSXML 6.0, the latest update/security fix cf.
     <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>


#2. "Microsoft Root Certificate Update October 2010\rootsupd.exe"

    The current Microsoft root certificate update is from April 2012,
    cf. <http://support.microsoft.com/kb/931125>


#3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe"
                                     version 9.0.30729.17 from 2008-08-08

    For the current Microsoft Visual C++ 2008 Redistributable Package
    cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>


#4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys"
                                     version 5.2.3790.2444 from 2005-05-17

    The installer package for DDP|A but includes the hotfix
    "WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of
    this driver: 5.2.3790.4476, 2009-03-17


#5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi"
                                     version 8.4.4.39 from 2012-02-02

    Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>


#6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi"
                                     version 5.9.4.6685 from 2010-09-15

    Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>

    This driver package contains parts of OpenSSL (no version specified),
    it installs a textfile "OpenSSL license" from 2006-06-14!
    So: add OpenSSL to the list of vulnerable components too.


#7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi"
                                      version 5.9.4.6901 from 2010-??-??

    This package contains a vulnerable MSVCRT+ 2005 runtime (version
    8.0.50727.762)

    Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>

    This driver package contains parts of OpenSSL (no version specified),
    it installs a textfile "OpenSSL license" from 2006-06-14!
    So: add OpenSSL to the list of vulnerable components too.


#8. "Preboot Manager.msi"             version 03.02.00.119 from 2011-12-06
                                      by Wave Systems Corp.

    This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0
    from 2003-04-18).
    Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>

    This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13)
    from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL.
    So: yet another component with vulnerable OpenSSL code.

    JFTR: no textfile with the "OpenSSL license" included here.


#9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi"
                                      version 1.2.1.37 from 2011-10-08
                                      by NTRU CryptoSystems Inc.

    This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1
    from 2010-03-18), cf.
    <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>


... and more (I stopped counting)!


Dell Inc.: Don't you have any QA? Can't afford one?
UPEK Inc.: Don't you have any QA? Can't afford one?
Wave Corp.: Don't you have any QA? Can't afford one?
NTRU Inc.: Don't you have any QA? Can't afford one?

What about just a little bit of serious software engineering and due
diligence in your development, build and production processes?

It's a stupid idea to build security software from vulnerable components!


Stefan Kanthak


Timeline
~~~~~~~~

2012-08-24    informed vendor support

2012-09-24    no reaction/reply from vendor support, report published

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

The information transmitted in this message and its attachments (if any) is intended only for the person or entity to 
which it is addressed.

The message may contain confidential and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon this information, by persons or entities other than the intended 
recipient is prohibited.

If you have received this in error, please contact the sender and delete this e-mail and associated material from any 
computer.

The intended recipient of this e-mail may only use, reproduce, disclose or distribute the information contained in 
this e-mail and any attached files, with the permission of the sender.

This message has been scanned for viruses.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault