COMMAND
ActiveSync
SYSTEMS AFFECTED
ActiveSync
PROBLEM
Jeff Samples found following. This has been tested with Microsoft
Windows 2000 Professional (build 2195) w/ SP1 and Microsoft
ActiveSync 3.1 (tested using HP Jornada 540 Series running Windows
PocketPC (CE v 3.0.948 Build 9357).
MS ActiveSync can access files (Outlook appts, contacts, synced
files, etc) from a Win2K workstation even though the workstation
has been locked. By simply dropping the HP into the dock, or
hooking it up to the COM port (depending on which sync method is
configured), it will sync and download data from a "locked"
workstation. Yikes!
SOLUTION
1. The desktop will only synchronize with a Pocket PC if a
partnership has previously been created, and a partnership can
only be created from the desktop side -- one can't be created
by a Pocket PC.
2. If a PIN has been selected for the Pocket PC, an attacker would
be unable to obtain any information from the device, regardless
of whether it had been synchronized.
3. Even if an attacker obtained a Pocket PC for which a
partnership already had been created, and knew the PIN for the
device, he or she could only use it to obtain information from
the desktop if ActiveSync had been configured to automatically
synchronize anytime a device is connected.
This seems to be less of a vulnerability than a use issue. For
example, folders shared on the system are available to the
network regardless of whether the system console is locked or
not. Other activity that the system may be performing will
continue as well. Locking the workstation is not the same as
logging it off. Since the hotsync manager is a desktop
application and the desktop is still "active" while the
workstation is locked, people may think this is a security flaw.
Locking the workstation is what you should do when you go use the
restroom, not when you leave for the day.