nCipher ConsoleCallBack Class With JRE 1.4.0 Smart Card Passphrase Leak Vulnerability

nCipher produces a range of hardware and software security products. nCipher also provides development support, including Java classes. An issue has been reported which could cause the nCipher ConsoleCallBack class, on Windows NT and 2000, to leak smart card passphrases to shell users.

This issue is the result of the interaction between the class and version 1.4.0 of the Java Runtime Environment on Windows.

If a user supplies their passphrase through the console, the application becomes unresponsive. If the process is then killed through the user pressing Control-C, the passphrase is passed to the console as a command.


Privacy Statement
Copyright 2010, SecurityFocus