US-CERT published 19 (!!!) advisories about vulnerabilities in Secure Element's Class 5 AVR (Automated Vulnerability Remediation). The product is also known as C5 EVM (Enterprise Vulnerability Management). It allows auditing, evaluation and compliance with various policies. You can find more information about the product at http://www.secure-elements.com/products/index.htm.
There are too many vulnerabilities to list them here, but they look very bad ? starting from hard-coded user IDs and passwords, over same encryption settings for every message session to typical input validation vulnerabilities.
You can find the complete list at US-CERT's web site; http://www.kb.cert.org/vuls/bypublished.
The vulnerability is reportedly patched in the latest version of the product, C5 EVM 2.8.1.
Thanks to Juha-Matti for reporting this.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Paris June 2020
May 31st 2006
1 decade ago