A security issue has been identified with the NetSupport HTTP protocol implementation used for communication between the NetSupport Manager Gateway (Connectivity Server) and NetSupport Manager Controls or Clients. The header of some of the NetSupport HTTP packets contained some information in plain text that could be used to identify information about the Client machine. The unencrypted data describes the Client’s IP address, the hardware MAC address and the logged on users name.
No password or security key information was transmitted in plain text.
The issue is resolved in NetSupport Manager 11.00.0005 or later. The NetSupport HTTP protocol implementation has been updated and no information is sent in plain text and all information is encrypted.
If you are concerned by this issue, we advise you update all NetSupport Gateways, Clients and Controls to version 11.00.0005 or later.
The NetSupport Manager Gateway now has two additional configuration options available in the Security tab of the Connectivity Server configuration.
Enable encryption of communications to remote computers
This option is enabled by default and encrypts all header information when communicating with Clients or Controls that are running version 11.00.0005 or later. Clients and Controls from previous versions will still be able to communicate; however, communications with older versions will contain unencrypted data in the header.
Block any remote computers not using encrypted communications
When enabled, this option will block connections from versions of the Control or Client that do not support the enhanced level of encryption. So, any Client or Control before version 11.00.0005 will no longer connect to this Gateway.