Sonicwall diag tool includes VPN credentlials

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sonicwall diag tool includes VPN credentlials
From: Milton Lopez <mlopez@xxxxxxxxx>
Date: 30 Jul 2004 21:46:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Our Sonicwall Pro 300 firewall appliance includes a diagnostic tool called 
"Tech Support Report", which dumps the current configuration info to a plain 
text file. I have been asked by Sonicwall personnel to email this file as an 
attachment during several tech. support calls, without any additional warning 
or explanation. One of the items included in the report is a plain-text copy of 
the Shared Secret used for authenticating VPN users. Unless everything I've 
read about protecting this kind of information is suddenly not true, sending 
unprotected shared secrets to anyone via email is very bad idea. I also doubt 
that tech. support personnel need this in most cases and, if they do, the 
customer should be notified and asked for it explicitly.

Follow-Ups:
- RE: Sonicwall diag tool includes VPN credentlials
  - From: Stephan Sachweh

Prev by Date: Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing
Next by Date: [EXPL] (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
Previous by thread: EXPLOIT for Re: [VSA0402] OpenFTPD format string vulnerability
Next by thread: RE: Sonicwall diag tool includes VPN credentlials
Index(es):
- Date
- Thread