Challenge Response Client (LCM) allows clipboard contents to be pasted into question response fields when workstation is locked

  • 3726376
  • 04-Feb-2008
  • 26-Apr-2012

Environment

Novell Client for Windows XP/2003
NMAS Client
Challenge Response Client (LCM)

Situation

Challenge Response Client 2.7.5 or earlier are affected. Challenge Response Client 2.7.5 shipped with Novell Client 4.91 SP4.

The weakness is due to the Challenge Question dialog box of the Challenge Response client failing to restrict access to the contents of the clipboard when the system is "locked".

This can be exploited to disclose the text contents of the current user's clipboard by pasting it into the "Challenge Question" field.

This security vulnerability is not critical.

Resolution

Download and apply Challenge Response Client 2.7.6 FTF (or greater).


Status

Security Alert

Feedback service temporarily unavailable. For content questions or problems, please contact Support.