-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 
                              @stake, Inc.
                            www.atstake.com
                           Security Advisory

Advisory Name: Lexar JumpDrive Secure(tm) Password Extraction 
 Release Date: 09-13-2004
  Application: JumpDrive Secure(tm) Version 1.0 and Lexar Safe
               Guard(tm) software
     Platform: Windows and Mac
     Severity: An attacker can extract the password from the
               Lexar JumpDrive Secure and access the private 
               partition.
      Authors: Katie Moussouris <kmoussouris@atstake.com>
               Luis Miras <lmiras@intrusion.com>
Vendor Status: Contacted, No response
CVE Candidate: CVE Candidate number applied for
    Reference: www.atstake.com/research/advisories/2004/a091304-1.txt


Overview:

- From the User Guide:
"Lexar Safe Guard(tm) is an application that allows you to password
protect private files on your Lexar Jump Drive. Safe Guard allows
you to divide your JumpDrive into two different areas, or zones.
The public zone, which comes up automatically when you insert your
Jump Drive into a USB port on your computer, is accessible by any
one using your drive. The private zone is password-protected and no
one can open, copy, or write files to it without entering the
password first."

There is a method of accessing the private zone on the JumpDrive
Secure device without knowing the password beforehand.  The
password can be observed in memory or read directly from the
device, without evidence of tampering.  All data thought to be
secure in the private zone can be accessed, altered, or deleted
arbitrarily by an attacker with physical access to the device.


Details:

The password is located on the JumpDrive device. It can be read
directly from the device without any authentication. It is stored
in an XOR encrypted form and can be read directly from the device
without any authentication. 

It is also possible to attach a debugger to the Safe Guard
software and read the password from memory. The Safe Guard
software takes care of the decryption and the password can be
seen in plain text within memory when the software does a
compare between the stored password and the supplied password.


Vendor Response:

08-05-2004 Vendor contacted via email to support@lexarmedia.com
           No response.
08-12-2004 Vendor contacted again via email to support, sales
           Public Relations, Investor Relations, and general
           inquiry email addresses.
08-12-2004 Automated response from support received
09-13-2004 No further response from vendor, advisory released

Vendor has not acknowledged issue or produced a fix.


Recommendation: 

Users of this device should not trust the security of the
private partition if the device is not in their possession.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are
candidates for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.

  CAN-2004-XXXX Lexar JumpDrive Secure(tm) Password Extraction


@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive: 
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQUXWdke9kNIfAm4yEQIsbACggguUCcKRk1eoz2yRk/hqbYEFH7YAoLjW
2PPdcVbM2ucT2L8NUZ2c0AYe
=KdSu
-----END PGP SIGNATURE-----