Re: Utimaco Safeguard Easy vulnerability

[Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>]

The following vendor statement (English language) including workarounds has 
been released recently:

Statement on SafeGuard(R) Easy Articles regarding Configuration File 
Vulnerability:
http://www.utimaco.fi/servlets/ActionDispatcher?action:ws3_content_get_binary=true&scope=domain&domain_id=www.utimaco.fi&page_id=/templates/ajankohtaisteksti.jsp?ws3_page_id=tiedoteartikkeli_103&form_id=&component_id=linkin_dokumentti_104

- Juha-Matti


boomboom999@xxxxxxxxx wrote: 
> Hello guys,
>
> At this moment our company looks for a software to encrypt the whole disk 
> drives on laptops.
>
> I see that many companies and government  institutions use Utimaco Safeguard 
> Easy.
>
> First, we looked at this software as well.
>
> However, it seems that the tool that is supposed to make laptops more secure 
> has some serious problems related to password and key distribution.
>
> For deployement in big companies, Utimaco recommend to implement centralized management. 
> The management is done via CFG-files that are pushed via SMS, Active Directory or otherwise.
>
> These CFG files contain encryption keys for hard disks and floppy, as well as user passwords and backup passwords for recovery. 
>
> The content of the file is supposedly "encrypted" as Utimaco's manual says. 
> However, it seems that the encryption keys are hardcoded directly in the EXE file. So, 
> they are easily recoverable and all these CFG files can be easily compromised.
>
> I am just wondering whether it has been discussed here and someone else has 
> seen this problem before?
>
> I know that many government and bank institutions use this product, am I the 
> only person to see this security whole?
>
> Thank you
>
> boom