BID:30736

SWIMAGE Encore Master Password Information Disclosure Vulnerability

Info

SWIMAGE Encore Master Password Information Disclosure Vulnerability

Bugtraq ID:	30736
Class:	Design Error
CVE:	CVE-2008-6191
Remote:	Yes
Local:	No
Published:	Aug 18 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	Adam Fier of Lockheed Martin/NASA
Vulnerable:	Intrinsic Technologies SWIMAGE Encore 0

Not Vulnerable:	Intrinsic Technologies SWIMAGE Encore 5.0.1 .21

Discussion

SWIMAGE Encore Master Password Information Disclosure Vulnerability

SWIMAGE Encore is prone to an information-disclosure vulnerability because it fails to securely remove authentication credentials from memory.

Attackers can exploit this issue to gain authentication credentials for vulnerable applications. Information harvested may aid in launching further attacks.

Exploit / POC

SWIMAGE Encore Master Password Information Disclosure Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

SWIMAGE Encore Master Password Information Disclosure Vulnerability

Solution:
The vendor released Encore 5.0.1.21 to address this issue. Please contact the vendor for information on obtaining and applying the update.

NOTE: This issue persists within the option for creating bootable media.

References

SWIMAGE Encore Master Password Information Disclosure Vulnerability

References:

SWIMAGE Encore Homepage (Intrinsic Technologies)
Vulnerability Note VU#778427 Intrinsic Swimage Encore does not securely manage l (US-CERT)