ISN 2022-13: UMS Vulnerabilities

Updated 8th June (clarification of update availability)

First published 25th May 2022

CVSS 3.1 Base Score: 8.6 (High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

Several security issues have been found in IGEL Universal Management Suite (UMS). This affects the following IGEL products:

• UMS 6.x

Details

It has been discovered that IGEL UMS on Windows stores superuser/database credentials in the HKEY_LOCAL_MACHINE registry, which allows a low-privileged attacker with Operating System (OS) access to read the encrypted dbpassword value (CVE-2022-25804).

Another vulnerability is a hardcoded DES key which allows an attacker with access to an encrypted dbpassword value to decrypt the password and gain superuser/database access to IGEL UMS and its database (CVE-2022-25806).

Another hardcoded DES key allows an attacker with access to encrypted LDAP bind credentials to decrypt the password and obtain access to plaintext LDAP bind credentials (CVE-2022-25807).

Finally, UMS may expose Lightweight Directory Access Protocol (LDAP) bind credentials in plaintext form, which allows a remote, authenticated attacker to obtain access to those credentials (CVE-2022-25805).

These issues were found by Nick Nam of Atredis Partners.

Mitigations

• CVE-2022-25804 can be mitigated by using a dedicated host for the UMS server and restricting access to it to the UMS administrator only. Using a dedicated host per service is a general IT Best Practice.
• CVE-2022-25806 and CVE-2022-25807 can be mitigated by restricting access to the UMS database and its backups.
• CVE-2022-25805 can be mitigated by using LDAPS (with TLS) only, which is configurable in UMS.

Update Instructions

• UMS 6.x: A UMS release with fixes is in preparation. When it is available, this ISN will be updated.

References

• Atredis Partners, Multiple Vulnerabilities in IGEL Universal Management Suite (UMS) v6.07.100: https://github.com/atredispartners/advisories/blob/master/ATREDIS-2022-0002.md
• CVE-2022-25804: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25804
• CVE-2022-25806: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25806
• CVE-2022-25807: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25807
• CVE-2022-25805: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25805