NeoScale downplayed a vulnerability note issued by the U.S. Computer Emergency Readiness Team (CERT), saying it already fixed the problem and accused a rival of exaggerating the risk.
CERT's warning this week detailed a flaw in the authentication process of NeoScale Systems CryptoStor 700 tape encryption appliances. NeoScale CEO Barbara Nelson dashed off a note to media and analysts today saying the vendor fixed the problem in the latest version of its firmware released this month and blamed competitor Decru for sending out misleading information to scare off customers. The CERT note confirmed that NeoScale's latest release addresses the vulnerability.
CERT, part of the U.S. Department of Homeland Security, collects and manages computer security threats.
"CERT characterized this vulnerability as one that could allow a malicious user to bypass additional two-factor authentication if [her emphasis] they had knowledge of a security officer's user ID and password," Nelson said in her letter.
According to CERT, the CryptoStor 700 device's two-factor authentication for administrative functions requires a smart card as well as a user name-password combination. The smart card part is performed on the client side within the Web browser using ActiveX, and can be bypassed by disabling ActiveX.
The CERT note says: "An attacker with knowledge of only the username and password for the administration console can gain administrative access to the CryptoStore unit. This would allow an attacker to add, change, or delete encryption rules and keys, establish cluster members, export keys for archival, and more."
The CERT report also states that NeoScale has addressed the issue with the 2.6 release of its firmware. The latest firmware changes the CryptoStor ActiveX component so it only reports on the success of the authentication but does not perform the authentication. It also changed the ActiveX component version number, modified the cgi-bin program that performs the authentication so it does not work with previous versions of the ActiveX component.
In her letter, Nelson says NeoScale's new firmware "addresses both the vulnerability itself as well as any possible residual effects from an old ActiveX control remaining on the browser platform."
NeoScale also points to the low score the vulnerability received on CERT's Severity Metric. CERT characterized the threat at 0.64 on a scale of 0 to 180, with 0 the least severe.
Nelson says Decru sent an email to NeoScale customers, partners, and the media making the vulnerability sound worse than it was. Her letter says Decru's "negatively-oriented marketing campaign" claims an attacker with a user password can gain access to the system key without a smart card. "This statement is completely false, is not included anywhere in the CERT advisory, and has nothing whatsoever to do with the CERT advisory," she says.
Decru marketing VP Kevin Brown says Decru doesn't have a NeoScale customer list, although he admits his company did send out emails to media, analysts, and others because it wanted its customers to know it did not have the same issues. He says any emails sent contained information available on the CERT site. For instance, CERT's note said when a user logged into the CryptoStor appliance its ActiveX component authenticated the user.
"As a privileged user, he or she was then able to gain access to the System Key of the NeoScale CryptoStor Tape Appliance," CERT's report said.
Brown says Decru does authentication directly from the smart card to the encryption appliance without going through Windows' ActiveX component.
NeoScale began shipping the CryptoStor 700 in February of 2005. (See NeoScale Adds Tape Security.) Rosenblum says he does not know how many customers are using the appliance but claims NeoScale has close to 200 overall customers and most of its enterprise customers use the 700. He says the fix was part of a production release sent out this month.
Storage analysts say that while any vulnerability can be significant, they are far from uncommon and NeoScale appears to have fixed the problem in a timely manner. "The CERT warning talks about a fix," says Diane McAdam of The Clipper Group. "It sounds like a problem NeoScale addressed."
So why put out an advisory after the problem has been fixed? CERT does not publish vulnerabilities until they are fixed because it doesn't want to publicize security holes. And now that there is a fix, customers need to know about it.
"The way I'm reading this, CERT is saying, 'You better check what version you're running,' " McAdam says. "This is a way of alerting people, if you've got this unit, check your version number."
Analyst Greg Schulz of StorageIO agrees, saying vendors and customers share responsibility for staying current on security upgrades.
"Regardless of who your vendor is, you need to stay up to date with software, firmware, anti-virus definitions, whether we're talking abut encryption, storage, operating systems, or whatever," he says.
Dave Raffo, News Editor, Byte and Switch