Detections
Analytics

AgileBits 1Password 6.3.3 Multiple Vulnerabilities

medium Nessus Plugin ID 100955

Language:

Synopsis

A password management application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of AgileBits 1Password installed on the remote Windows host is equal or prior to 6.3.3. It is, therefore, affected by multiple vulnerabilities :

 - A security weakness exists in the internal web browser in which the default protocol that is used is set to HTTP. If a user visits a website without specifying the full URL, the more secure HTTPS protocol will not be used even if it is available. A man-in-the-middle attacker can exploit this to disclose sensitive information. (SIK-2016-039)

 - A security weakness exists in the database of the password manager due to lack of encryption for titles and URLs. An attacker who is able to obtain a copy of the encrypted database can exploit this to disclose the websites for which the user has stored credentials without having to break the cryptography. (SIK-2016-040)

 - A security weakness exists in the password manager due to sending the target domain to the vendor's web server in order to obtain from a server-side cache an icon that represents the respective target website. This issue allows the vendor to track all the sites for which the user has created database entries. (SIK-2016-042)

Solution

Upgrade to a version of AgileBits 1Password that is later than 6.3.3.

See Also

http://www.nessus.org/u?eedc9d32

https://team-sik.org/sik-2016-039/

https://team-sik.org/sik-2016-040/

https://team-sik.org/sik-2016-042/

Plugin Details

Severity: Medium

ID: 100955

File Name: agilebits_1password_multiple_vulns_01.nasl

Version: Revision: 1.1

Type: local

Agent: windows

Family: Windows

Published: 6/21/2017

Updated: 6/21/2017

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:agilebits:1password

Required KB Items: SMB/Registry/Enumerated, installed_sw/1Password

Patch Publication Date: 9/27/2016

Vulnerability Publication Date: 9/27/2016