exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dell Data Protection | Access (DDPA) Vulnerable Components

Dell Data Protection | Access (DDPA) Vulnerable Components
Posted Sep 25, 2012
Authored by Stefan Kanthak

The current version of Dell's Data Protection | Access (DDPA) software for Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains and installs several outdated, superfluous and vulnerable Windows system components as well as outdated and vulnerable 3rd party components and drivers.

tags | advisory
systems | windows
SHA-256 | 94bd37cd29972c65c66ecaa5cf64277fc3f8e5d39650d0466b7af17303cc6c54

Dell Data Protection | Access (DDPA) Vulnerable Components

Change Mirror Download
Hi @ll

the current version of Dell's Data Protection | Access (DDPA) software for
Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains
and installs several outdated, superfluous and vulnerable Windows system
components as well as outdated and vulnerable 3rd party components and drivers.

<http://www.dell.com/support/drivers/uk/en/ukdhs1/DriverDetails?driverId=KPCWG>

>From the readme.txt:

| Dell Data Protection | Access (DDP|A) is an integrated end point security
| management suite, providing for seamless data security and authentication.
| It allows you to authenticate using a fingerprint, smartcard, contactless
| smartcard or password. Pre-Windows can be configured to unlock self-encrypting
| drives upon authentication.


The outdated, superfluous and vulnerable components (incomplete):

#1. "Microsoft MSXML Parser.msi" version 6.0 from 2005-09-09

All versions of Windows supported by DDP|A include a newer version
of MSXML 6.0, the latest update/security fix cf.
<http://technet.microsoft.com/en-us/security/bulletin/ms12-043>


#2. "Microsoft Root Certificate Update October 2010\rootsupd.exe"

The current Microsoft root certificate update is from April 2012,
cf. <http://support.microsoft.com/kb/931125>


#3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe"
version 9.0.30729.17 from 2008-08-08

For the current Microsoft Visual C++ 2008 Redistributable Package
cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>


#4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys"
version 5.2.3790.2444 from 2005-05-17

The installer package for DDP|A but includes the hotfix
"WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of
this driver: 5.2.3790.4476, 2009-03-17


#5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi"
version 8.4.4.39 from 2012-02-02

Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>


#6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi"
version 5.9.4.6685 from 2010-09-15

Cf. <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/>

This driver package contains parts of OpenSSL (no version specified),
it installs a textfile "OpenSSL license" from 2006-06-14!
So: add OpenSSL to the list of vulnerable components too.


#7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi"
version 5.9.4.6901 from 2010-??-??

This package contains a vulnerable MSVCRT+ 2005 runtime (version
8.0.50727.762)

Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025>

This driver package contains parts of OpenSSL (no version specified),
it installs a textfile "OpenSSL license" from 2006-06-14!
So: add OpenSSL to the list of vulnerable components too.


#8. "Preboot Manager.msi" version 03.02.00.119 from 2011-12-06
by Wave Systems Corp.

This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0
from 2003-04-18).
Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms12-043>

This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13)
from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL.
So: yet another component with vulnerable OpenSSL code.

JFTR: no textfile with the "OpenSSL license" included here.


#9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi"
version 1.2.1.37 from 2011-10-08
by NTRU CryptoSystems Inc.

This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1
from 2010-03-18), cf.
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025>


... and more (I stopped counting)!


Dell Inc.: Don't you have any QA? Can't afford one?
UPEK Inc.: Don't you have any QA? Can't afford one?
Wave Corp.: Don't you have any QA? Can't afford one?
NTRU Inc.: Don't you have any QA? Can't afford one?

What about just a little bit of serious software engineering and due
diligence in your development, build and production processes?

It's a stupid idea to build security software from vulnerable components!


Stefan Kanthak


Timeline
~~~~~~~~

2012-08-24 informed vendor support

2012-09-24 no reaction/reply from vendor support, report published


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close