Notified:  April 17, 2007 Updated: June 01, 2007

Status

Affected

Vendor Statement

CREDANT Technologies takes security seriously and appreciates this opportunity to explain how we addressed VU#821865. In addition to ongoing security reviews by development and QA, CREDANT Mobile Guardian (CMG) is also subject to periodic third party code reviews. Though preventing security vulnerabilities is our primary goal, we are aware that issues can slip through, which is why we frequently review both existing and new product functions and code. Because we focus on data encryption, CREDANT has done significant work to ensure on-going reviews around code and functions, including those supporting authentication of authorized users. In addition to leveraging existing Microsoft Windows domain authentication mechanisms, CREDANT's development process includes a variety of best practices to identify and quickly address any issues that may be introduced whether they are a result of adding new features or regular product maintenance. One of these best practices is the requirement of internal peer audits any time a code change is made that could interact with authentication credential processing. These reviews are designed to check for a variety of issues and to ensure that we: - hold credentials in memory for the least amount of time possible - create a hash of any credentials that must be held in memory - zero out any memory immediately after processing authentication credentials Per our procedures, passwords used by the Windows Shield were hashed before being held in memory, but there were some instances where we failed to clear the memory containing the original password used to create the hash. This issue was identified in a regular internal code review and was confirmed by a customer report on April 4, 2007 and by the CERT notification on April 17, 2007. CREDANT provided a test build fix to the reporting customer around April 19, 2007 and a final fix went into our CMG Enterprise Edition 5.2.1 SP1 release on May 1, 2007. To prevent a recurrence of this issue, CREDANT also added some core memory management functionality to our product to help ensure automatic clearing of memory in many cases. Our encryption policy defaults are generally off, which is driven by customer demand that we allow them to decide what the acceptable risk is in their environment. Though this drove our decision to set the "Encrypt Windows Paging File" default policy to False, our documentation recommends changing this to True when encryption is enabled. The CMG Administrator Help includes a section of recommended policies by security level, where we suggest policy settings for Low, Medium, and High security environments. The recommended value for "Encrypt Windows Paging File" policy is True for all levels (High, Medium, and Low security environments).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.