search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

NetSupport Manager Gateway transmits identifying information in plaintext

Vulnerability Note VU#465239

Original Release Date: 2010-11-03 | Last Revised: 2010-11-03

Overview

The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is not encrypting http headers sent between systems.

Description

The NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway and NetSupport Manager Controls or NetSupport Manager Clients is sending plaintext http headers between systems. The header of some of the NetSupport HTTP packets contain information in plaintext that could be used to identify information about the client machine.

Impact

An attacker could view identification information about the client machine such as the client's ip address, hardware MAC address, user's login name, and password hash.

Solution

Upgrade

According to the vendor's technical document the NetSupport HTTP protocol implementation has been updated so that all header communication is now encrypted in the current shipping version of the NetSupport Manager product (version 11.00.0005).

Additional information is available in the Vendors Affected section of this document.

Vendor Information

465239
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.netsupportsoftware.com/support/td.asp?td=634

Acknowledgements

Thanks to Matthew Whitehead for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 4.97
Date Public: 2010-11-03
Date First Published: 2010-11-03
Date Last Updated: 2010-11-03 18:17 UTC
Document Revision: 21

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis