SafeNet SoftRemote VPN Client Issue: Clear-text password stored in memory
SafeNet SoftRemote VPN Client Issue: Clear-text password stored in memory
Summary:
NTA Monitor have discovered a password disclosure issue in the SafeNet
SoftRemote VPN client: The SoftRemote client stores the password in an
obfuscated form in the Windows registry, but it also stores the unencrypted
password in process memory.
The SafeNet SoftRemote VPN client is widely used for remote access IPsec
VPNs. It is available as a product in its own right, and many VPN vendors
also use a badged-up version of the client which they ship with their VPN
product. The issue has been confirmed in both the SoftRemote product, and
also in two badged-up versions. It is suspected that the issue is common
to all versions of the client.
The vendor has been notified of this issue, and have produced a fix which
is expected to be available shortly.
Overview:
While performing a VPN test for a customer, NTA Monitor discovered that the
VPN client that was being used stored the VPN password (pre-shared key)
unencrypted in the memory of the process "IreIKE.exe". It was possible to
recover the password by dumping the process memory to a file with PMDump
(http://ntsecurity.nu/toolbox/pmdump/) or by crashing the system to obtain
a physical memory dump.
The IreIKE.exe process decrypts the pre-shared key as soon as it starts up,
so there is no need to attempt to connect to the VPN server in order to
obtain the password from the client.
The vulnerability was found in both SafeNet version of the client, and also
two badged-up versions, which implies that it is common across all versions
of the client.
The vulnerability allows anyone with access to the client system to obtain
the password. It also allows anyone who has access to the obfuscated
password in the client registry or in a policy file (.spd) to use the VPN
client to obtain the corresponding plain-text password.
The VPN client registry, and also policy files, contain all the other
configuration details needed to gain access to the VPN, such as the
username and IP addresses in plain (unencrypted format). Therefore anyone
with access to the VPN client system, or a policy file, can obtain all of
the required details to access the VPN.
In the memory dump, the plain-text password is visible near to the name of
the connection that it is associated with (e.g. "My Connections\New
Connection"). As the password appears to be at a fixed offset from the
connection name in the memory dump, it would be a simple matter to write a
tool to extract the connection name and password.
Further Information:
For further information, including technical details and screenshots, see:
http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm
Roy Hills
--
Roy Hills Tel: +44 1634 721855
NTA Monitor Ltd FAX: +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate, Email: Roy.Hills@xxxxxxxxxxxxxxx
Rochester, Kent ME2 4FA,
UK WWW: http://www.nta-monitor.com/