Secure Elements fixes flaws in security product

31.05.2006
Secure Elements Inc., a Herndon, Va.-based vendor of vulnerability management and auditing products, today downplayed the seriousness of multiple vulnerabilities that were disclosed in its flagship product by the U.S. Computer Emergency Readiness Team (US-CERT) Tuesday.

A spokesman for Secure Elements said the vulnerabilities in question had been reported to the company in November 2005 by one of its customers. Since then, all of the flaws have been patched and the company has been working since January to migrate all of the customers affected by the flaws to a fully patched version of the product.

"This is no longer an issue," said Scott Armstrong, vice president of product marketing at Secure Elements. "The reality is that the [affected product] is no longer being used by any of our customers. It is not available."

US-CERT Tuesday published vulnerability notes detailing 19 flaws in Version 2.8.0 of Secure Elements' C5 EVM vulnerability management suite. The product was previously known as C5 AVR.

Among the flaws listed by US-CERT were those that allowed sensitive information to be transmitted in clear text between the AVR server and client product, the presence of hard-coded user IDs and passwords in the AVR server, and access control and authentication vulnerabilities.

Armstrong said the vulnerabilities were uncovered last November by the Computer Incident Response Team at the National Oceanic and Atmospheric Administration (NOAA). Secure Elements' vulnerability management product had been selected for enterprisewide deployment at NOAA, and the product was being subjected to routine security testing by the organization's incident response team when the flaws were discovered, he said.