According to CERT, the CryptoStor 700 device's two-factor authentication for administrative functions requires a smart card as well as a user name-password combination. The smart card part is performed on the client side within the Web browser using ActiveX, and can be bypassed by disabling ActiveX.
The CERT note says: "An attacker with knowledge of only the username and password for the administration console can gain administrative access to the CryptoStore unit. This would allow an attacker to add, change, or delete encryption rules and keys, establish cluster members, export keys for archival, and more."
The CERT report also states that NeoScale has addressed the issue with the 2.6 release of its firmware. The latest firmware changes the CryptoStor ActiveX component so it only reports on the success of the authentication but does not perform the authentication. It also changed the ActiveX component version number, modified the cgi-bin program that performs the authentication so it does not work with previous versions of the ActiveX component.
In her letter, Nelson says NeoScale's new firmware "addresses both the vulnerability itself as well as any possible residual effects from an old ActiveX control remaining on the browser platform."
NeoScale also points to the low score the vulnerability received on CERT's Severity Metric. CERT characterized the threat at 0.64 on a scale of 0 to 180, with 0 the least severe.
Bob Friday, Chief AI Officer for Juniper Networks, explains how the advanced technology is transforming operations.
Contact center leaders from 8x8, Awaken Intelligence, and 360insight discuss the importance of agent experience.
AI may force enterprises to rewire parts of their data centers so they are fully optimized to run such workloads. The question is do you use Ethernet or InfiniBand?
