What’s New in Timbuktu Pro for Windows, version 8.6.7 Timbuktu Pro will then attempt to authenticate, the guest user should press the ESC key or click the Cancel button to close the dialog box. However, if the Timbuktu Pro host computer presents the “second chance” Log In dialog box, in which the guest user can enter a Windows user name and password that If a user’s Windows credentials are accepted automatically during the connection process, no further action is required. Instruct your Timbuktu Pro users not to provide Windows access credentials when connecting to a Timbuktu Pro host computer. Because the guest computer encrypts the session key with the attacker’s public key, the attacker can then decrypt the session key and therefore decrypt the user’s Windows credentials. The guest computer then generates a session encryption key and uses the key to encrypt the Windows credentials the guest user provided. In this vulnerability, if automatic Windows NT User authentication fails and the guest user enters Windows credentials in the “second chance” Log In dialog box, the guest computer will request a public encryption key from a public/private encryption key pair generated by the attacker. When a Timbuktu Pro guest computer on the local network attempts to establish a Timbuktu Pro connection, the compromised computer may be able to use one or more “spoofing” methods to convince the guest computer that it is the computer to which the guest computer is attempting to connect. Vulnerability II The second vulnerability may be exploited if an attacker is able to execute non-privileged code on any computer. However, if the Timbuktu Pro host computer presents the “second chance” Log In dialog box, in which the guest user can enter a Windows user name and password that Timbuktu Pro will then attempt to authenticate, the guest user should press the ESC key or click the Cancel button to close the dialog box. HKLM\SOFTWARE\Netopia\Timbuktu Pro\Security\DisableGuestAuthentication To disable Windows NT User authentication, set the following registry key to a value of 1. Install Timbuktu Pro 8.6.8, which removes the vulnerability, on all Timbuktu Pro computers.ĭisable Windows NT User authentication on all Timbuktu Pro computers. If automatic Windows NT User authentication fails and the guest user enters Windows credentials in the “second chance” Log In dialog box, the attacker may be able to read the user name and password the Timbuktu Pro user enters.Īffected Versions This issue may affect any version of Timbuktu Pro from Timbuktu Pro 4.0.0 (Timbuktu Pro 2000) through Timbuktu Pro 8.6.7. If the local Timbuktu Pro user restarts the TB2 Launch Windows service, the attacker may be able to take control of the named pipe that Timbuktu Pro opens during the connection process. Vulnerability I The first vulnerability may be exploited if an attacker is able to execute non-privileged code on a Timbuktu Pro guest computer. The following sections describe both vulnerabilities, the versions of Timbuktu Pro in which they are present, and suggestions for how to prevent the exploitation of the vulnerabilities. Motorola recommends that all Timbuktu Pro for Windows users update to the latest version of the product, Timbuktu Pro version 8.6.8, which is not vulnerable to these issues. Timbuktu Pro for Windows is the only product that is affected by this vulnerability. Timbuktu Pro is no longer vulnerable to two security vulnerabilities which may allow an attacker to read a Timbuktu Pro user’s Windows access credentials (user name, password, and Windows domain) if the user enters them in the “second chance” dialog box, which appears when Timbuktu Pro’s automatic authentication of Windows NT Users fails. What’s New in Timbuktu Pro for Windows, version 8.6.8 This version of Timbuktu Pro includes an enhancement designed to address certain security vulnerabilities in Timbuktu Pro. You can also find technical support information at If you have additional questions, consult the Timbuktu Pro online Help. This document contains important information about Timbuktu Pro for Windows, version 8.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |