a) Faronics is sending DMCA notices to researchers describing vulnerabilities
in their products[1]; b) there is no security contact or PGP key available on Faronics website; c) these bugs require local user access and cannot be exploited remotely; Faronics was not notified in advance.
Faronics Deep Freeze weakly-encrypted password disclosure vulnerability
----------------------------------------------------------------------Application Vendor: Faronics Vendor URL: http://www.faronics.com Discovered by: kao <kao.was.here@gmail.com> Date discovered: Nov-2012 Public disclosure date: Mar-2013 Type of vulnerability: Weak Cryptography - Design Flaw Background ---------Faronics Deep Freeze is application which allows system administrators to protec t the core operating system and configuration files on a workstation or server by restoring a compute r back to its original configuration each time the computer restarts. According to Faronics website, th e software is installed on over 5 million workstations worldwide. Versions affected ----------------This vulnerability has been successfully tested on the following versions: Faronics Deep Freeze Standard 6.10..7.51 Faronics Deep Freeze Enterprise 6.00..7.51 Faronics Deep Freeze Server Standard 6.30..7.51 Faronics Deep Freeze Server Enterprise 6.30..7.51 However, it is suspected that most previous versions are also affected. Description of vulnerability ---------------------------DeepFreeze user mode process requests DeepFreeze configuration information from the driver using IoControl call. Returned buffer contains not only product configuration but also xor-encrypted password that allows complete access to DeepFreeze configuration interface. Decryption ke y is also present in the buffer. There are several possible attack vectors: - Attacker can dump frzstate2k.exe process memory and locate encrypted password in it. - Attacker can issue IoControl call and receive configuration information inclu ding encrypted password. Proof-of-Concept ---------------See Meltdown and its source code.
Faronics Deep Freeze Enterprise Customization Code Hash disclosure vulnerability
-------------------------------------------------------------------------------Application Vendor: Faronics Vendor URL: http://www.faronics.com Discovered by: kao <kao.was.here@gmail.com> Date discovered: Nov-2012 Public disclosure date: Mar-2013 Type of vulnerability: Weak Cryptography - Design Flaw Background ---------Faronics Deep Freeze is application which allows system administrators to protec t the core operating system and configuration files on a workstation or server by restoring a compute r back to its original configuration each time the computer restarts. According to Faronics website, th e software is installed on over 5 million workstations worldwide. Versions affected ----------------This vulnerability has been successfully tested on the following versions: Faronics Deep Freeze Enterprise 6.00..7.51 Faronics Deep Freeze Server Enterprise 6.30..7.51 However, it is suspected that most previous versions are also affected. Description of vulnerability ---------------------------After administrator console installation, product asks to enter unique "Customiz ation Code". Xor-encrypted 32-bit hash of Customization Code is stored in dfc.exe, frzstate2k.exe and dfser v.exe. These files are later installed on client machines. Anyone who has read access to these files (including Guest account) can extract 32-bit hash and use it to generate One Time Password (OTP) and therefore gain complete access to Deep F reeze configuration interface. Proof-of-Concept ---------------See Meltdown and its source code.