Updated 8th June (clarification of update availability)
First published 25th May 2022
CVSS 3.1 Base Score: 8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Summary
Several security issues have been found in IGEL Universal Management Suite (UMS). This affects the following IGEL products:
Details
It has been discovered that IGEL UMS on Windows stores superuser/database credentials in the HKEY_LOCAL_MACHINE registry, which allows a low-privileged attacker with Operating System (OS) access to read the encrypted dbpassword value (CVE-2022-25804).
Another vulnerability is a hardcoded DES key which allows an attacker with access to an encrypted dbpassword value to decrypt the password and gain superuser/database access to IGEL UMS and its database (CVE-2022-25806).
Another hardcoded DES key allows an attacker with access to encrypted LDAP bind credentials to decrypt the password and obtain access to plaintext LDAP bind credentials (CVE-2022-25807).
Finally, UMS may expose Lightweight Directory Access Protocol (LDAP) bind credentials in plaintext form, which allows a remote, authenticated attacker to obtain access to those credentials (CVE-2022-25805).
These issues were found by Nick Nam of Atredis Partners.
Mitigations
- CVE-2022-25804 can be mitigated by using a dedicated host for the UMS server and restricting access to it to the UMS administrator only. Using a dedicated host per service is a general IT Best Practice.
- CVE-2022-25806 and CVE-2022-25807 can be mitigated by restricting access to the UMS database and its backups.
- CVE-2022-25805 can be mitigated by using LDAPS (with TLS) only, which is configurable in UMS.
Update Instructions
- UMS 6.x: A UMS release with fixes is in preparation. When it is available, this ISN will be updated.
References