Bugtraq mailing list archives
RE: Sonicwall diag tool includes VPN credentlials
From: Stephan Sachweh <Stephan.Sachweh () pallas com>
Date: Mon, 2 Aug 2004 09:53:42 +0200
Milton Lopez <mlopez () iattc org> wrote on 30.07.2004 23:46:07:
Our Sonicwall Pro 300 firewall appliance includes a diagnostic tool called "Tech Support Report", which dumps the current configuration info to a plain text file. I have been asked by Sonicwall personnel to email this file as an attachment during several tech. support calls, without any additional warning or explanation.
Before downloading there is a Warning "You are about to export sensitive information in plaintext format. Continue?". So the firmware tells you, what you are doing.
One of the items included in the report is a plain-text copy of the Shared Secret used for authenticating VPN users. Unless everything I've read about protecting this kind of information is suddenly not true, sending unprotected shared secrets to anyone via email is very bad idea.
The shared secret is not included in the standard report. You have to tag "VPN Keys" before generating the report. But sure, the Tech Support Report includes other sensitive information (IP networks connected, routing tables, mail addresses etc). I would not send this report by plain mail. Normally the TechSupport Report should be added to a https protected customer portal site at sonicwall. I had never been asked by sonicwall tech support to send a report by mail. Freundliche Grüße Stephan Sachweh Technischer Leiter, Prokurist -------------------------------------------------------------------- //// pallas Pallas GmbH / Hermülheimer Str. 10 / 50321 Brühl Stephan.Sachweh () pallas com / www.pallas.com Tel 02232-1896-62 / Fax 02232-1896-29 / Mobil 0173-5490754 --------------------------------------------------------------------
Current thread:
- RE: Sonicwall diag tool includes VPN credentlials Eric McCarty (Aug 02)
- <Possible follow-ups>
- Re: Sonicwall diag tool includes VPN credentlials neil gardner (Aug 02)
- RE: Sonicwall diag tool includes VPN credentlials Stephan Sachweh (Aug 02)
- RE: Sonicwall diag tool includes VPN credentlials Jody McCluggage (Aug 02)