what you don't know can hurt you

Ivanti Workspace Control Registry Stored Credentials

Ivanti Workspace Control Registry Stored Credentials
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.

tags | advisory, local, registry
systems | windows
SHA-256 | 964ae3397201993a0875edfc0ea849d24a6d6bd09383d580016c683c5209f357

Ivanti Workspace Control Registry Stored Credentials

Change Mirror Download
------------------------------------------------------------------------
Stored credentials Ivanti Workspace Control can be retrieved from
Registry
------------------------------------------------------------------------
Yorick Koster, August 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A flaw was found in Workspace Control that allows a local unprivileged
user to retrieve the database or Relay server credentials from the
Windows Registry. These credentials are encrypted, however the
encryption that is used is reversible.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.700.1 & 10.2.950.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was resolved in Ivanti Workspace Control version 10.3.10.0.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180804/stored-credentials-ivanti-workspace-control-can-be-retrieved-from-registry.html

Workspace Control stores credentials for connecting to the Relay server(s) or database server(s) in the Registry. The credentials are protected using a custom encryption algorithm or, if FIPS mode is enabled, using AES encryption. The encryption algorithm can be retrieved using decompilation of the binaries - including the encryption key. When FIPS mode is enabled the key is derived from a value that is also stored in the Registry. The values are stored under the HKLM hive and can therefore not be changed by an unprivileged local user, they can however be read.

A local attacker can retrieve the encrypted credentials from the Registry and after that retrieve the plaintext password. With the password it will be possible to connect directly to the Relay and database servers. Most IT shops will use the same database password for managing the database and the Agents. With access to the database password it is often possible to change the database and thus compromise every Agent (workstation) that is connected to this database.

In some scenarios it is also possible to use these credentials to trick Agents into connecting to a rogue database containing a malicious configuration. When connected the Agent can be tricked into running attacker-supplied code, which will result in a full compromise of these Agents.
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close