McAfee SafeBoot Device Encryption Plain Text Password Disclosure
24 Sep. 2008
Summary
The password checking routine of SafeBoot Device Encryption fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
Vulnerable Systems:
* SafeBoot Device Encryption version 4 Build 4750 and below
Immune Systems:
* SafeBoot Device Encryption version 4 Build 4760 and above
* SafeBoot Device Encryption version 5.x
SafeBoot's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.
Impact:
Plain text password disclosure. Local guest access is required, but no physical access to the machine.
Vendor response:
"SafeBoot Device Encryption v4, Build 4750 and below are subject to this vulnerability. Builds 4760 and above are not. Customers should upgrade to the current version of SafeBoot Device Encryption v4, or migrate to the current McAfee Endpoint Encryption for PC v5 platform which replaced the earlier product in March 2007."
