COMMAND
	ActivCard password cache memory leakage
SYSTEMS AFFECTED
	ActivCard Gold 2.2
PROBLEM
	Hernán Otero [http://www.xss.com.ar] reported following:
	In December of the 2002 I was analysing  the  ActivCard  product  for  a
	client. During the analysis I noticed that making a memory dump  of  the
	process "scardsrv" was possible to obtain the users stored staticaly  in
	the card.
	This issue at first, could seem smaller, although in  depth  already  it
	has a very serious character, but deepening the analisis  I  found  that
	even with the card pulled out  from  the  pc  the  users  and  passwords
	remained in memory.
	This was reported properly to ActivCard (this can be reed  in  the  mail
	thread at next).
	Here is the answer from our Product Manager about this issue:
	The problem found relates to  accessing  static  passwords  stored  (for
	performance) in a memory cache by ActivCard Gold.  ActivCard  recognizes
	the seriousness of this problem, and will fix it in the next version  of
	the product - ActivCard is currently working on a  mechanism  that  will
	prevent a memory dump to access any kind of  personal  data.  Note  that
	this problem is only applicable to static passwords.  PKI  private  keys
	and Dynamic Password keys are always stored securely  on  the  card  and
	never loaded on the PC. Also note that this problem only  happens  after
	the user has accessed the card with his  PIN,  and  while  the  user  is
	still using the card. As soon as the user removes the card and logs  out
	of his session, the cache is cleared and the static passwords cannot  be
	accessed anymore. (/****NOTE***** This is not true, I do some  test  and
	even when pulled out the card  the  users  and  pass  remain  in  memory
	area******/) Regards, Jensen Toma
	I have not recived any news or contact  since  february,  I  believe  is
	convenient to publish this "vulnerability" to accelerate the process  of
	correction.
SOLUTION
	Maybe the version 2.3 corrects this. Has to be checked.