Software Engineering Institute

Notified:  April 17, 2007 Updated: June 01, 2007

Status

Affected

Vendor Statement

CREDANT Technologies takes security seriously and appreciates this opportunity
to explain how we addressed VU#821865. In addition to ongoing security reviews
by development and QA, CREDANT Mobile Guardian (CMG) is also subject to
periodic third party code reviews. Though preventing security vulnerabilities
is our primary goal, we are aware that issues can slip through, which is why we
frequently review both existing and new product functions and code.

Because we focus on data encryption, CREDANT has done significant work to
ensure on-going reviews around code and functions, including those supporting
authentication of authorized users. In addition to leveraging existing
Microsoft Windows domain authentication mechanisms, CREDANT's development
process includes a variety of best practices to identify and quickly address
any issues that may be introduced whether they are a result of adding new
features or regular product maintenance. One of these best practices is the
requirement of internal peer audits any time a code change is made that could
interact with authentication credential processing. These reviews are designed
to check for a variety of issues and to ensure that we:

- hold credentials in memory for the least amount of time possible
- create a hash of any credentials that must be held in memory
- zero out any memory immediately after processing authentication credentials

Per our procedures, passwords used by the Windows Shield were hashed before
being held in memory, but there were some instances where we failed to clear
the memory containing the original password used to create the hash.  This
issue was identified in a regular internal code review and was confirmed by a
customer report on April 4, 2007 and by the CERT notification on April 17,
2007.  CREDANT provided a test build fix to the reporting customer around April
19, 2007 and a final fix went into our CMG Enterprise Edition 5.2.1 SP1 release
on May 1, 2007. To prevent a recurrence of this issue, CREDANT also added some
core memory management functionality to our product to help ensure automatic
clearing of memory in many cases.

Our encryption policy defaults are generally off, which is driven by customer
demand that we allow them to decide what the acceptable risk is in their
environment. Though this drove our decision to set the "Encrypt Windows Paging
File" default policy to False, our documentation recommends  changing this to
True when encryption is enabled. The CMG Administrator Help includes a section
of recommended policies by security level, where we suggest policy settings for
Low, Medium, and High security environments. The recommended value for "Encrypt
Windows Paging File" policy is True for all levels (High, Medium, and Low
security environments).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.