AgileBits 1Password 6.3.3 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A password management application installed on the remote host is
affected by multiple vulnerabilities.

Description :

The version of AgileBits 1Password installed on the remote Windows
host is equal or prior to 6.3.3. It is, therefore, affected by
multiple vulnerabilities :

- A security weakness exists in the internal web browser
in which the default protocol that is used is set to
HTTP. If a user visits a website without specifying the
full URL, the more secure HTTPS protocol will not be
used even if it is available. A man-in-the-middle
attacker can exploit this to disclose sensitive
information. (SIK-2016-039)

- A security weakness exists in the database of the
password manager due to lack of encryption for titles
and URLs. An attacker who is able to obtain a copy of
the encrypted database can exploit this to disclose the
websites for which the user has stored credentials
without having to break the cryptography. (SIK-2016-040)

- A security weakness exists in the password manager due
to sending the target domain to the vendor's web server
in order to obtain from a server-side cache an icon that
represents the respective target website. This issue
allows the vendor to track all the sites for which the
user has created database entries. (SIK-2016-042)

See also :

http://www.nessus.org/u?eedc9d32
https://team-sik.org/sik-2016-039/
https://team-sik.org/sik-2016-040/
https://team-sik.org/sik-2016-042/

Solution :

Upgrade to a version of AgileBits 1Password that is later than 6.3.3.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: Windows

Nessus Plugin ID: 100955 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now