<<< Date Index >>>     <<< Thread Index >>>

NOVL-2005010098073 GroupWise Password Caching



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For Immediate Disclosure

============================== Summary ==============================

 Security Alert: NOVL-2005-10098073
          Title: GroupWise Password Caching
           Date: 16-August-2005
       Revision: Original
   Product Name: GroupWise 5.x, 6.x
 OS/Platform(s): Windows and NetWare
  Reference URL: http://support.novell.com/servlet/tidfinder/10098073
    Vendor Name: Novell, Inc. 
     Vendor URL: http://www.novell.com
Security Alerts: http://support.novell.com/security-alerts 
        Affects: GroupWise Windows Clients & Proxies
    Identifiers: Bugtraq:13997, CVE:CAN-2005-2620, SECTRACK:1014247
        Credits: securityteam@xxxxxxxxxxxx

============================ Description ============================

The GroupWise client sometimes caches the user name and password in 
memory while it is running.

============================== Impact ===============================

A hostile user with administrative access to the machine where a user 
is logged in may dump memory and find username/password pairs of 
logged in users.

======================== Recommended Actions ========================
GW 7 was released with these fixes already applied, so no further
action is required for GroupWise 7 users.

Until the official release of GroupWise 6.5 SP5 in mid-September, 
customers wishing to apply Field Test Files (FTF) can download these 
from http://support.novell.com/filefinder/  and locate the latest 
GroupWise Agents and GroupWise Client FTFs.  Currently as of 
August 16, 2005 the filenames are fgw655h.exe for Agents and 
f32655f7e.exe for GW Client.  Both, FTFs will need to be applied 
to get the full fix. 

See detailed instructions in the referenced Technical Information 
Document (TID): http://support.novell.com/servlet/tidfinder/10098073 

============================ DISCLAIMER =============================

The content of this document is believed to be accurate at the time 
of publishing based on currently available information. However, the 
information is provided "AS IS" without any warranty or 
representation. Your use of the document constitutes acceptance of 
this disclaimer. Novell disclaims all warranties, express or 
implied, regarding this document, including the warranties of 
merchantability and fitness for a particular purpose. Novell is not 
liable for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this document or any security 
alert, even if Novell has been advised of the possibility of such 
damages and even if such damages are foreseeable.

============================ Appendices =============================

None

================ Contacting Novell Security Alerts ==================

To report suspected security vulnerabilities in Novell products, 
send email to
            secure@xxxxxxxxxx

PGP users may send signed/encrypted information to us using our 
PGP key, available from the our website at: 

            http://support.novell.com/security-alerts


Novell Security Alerts, Novell, Inc. PGP Key Fingerprint:

3C6B 3F26 4E34 1ADF E27B D6C4 1AC8 9184 34D1 9739

========================= Revision History ==========================
       Original: 16-Aug-2005 - Original Publication

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDA4GUGsiRhDTRlzkRAhDnAKCrwSIzonYqwbKjxmsm+CSlvwsqiwCg+Qdn
gK8fuk3uLS6wUY1S97pV36E=
=U6IQ
-----END PGP SIGNATURE-----