-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2014-007 Product: FrontRange DSM Vendor: FrontRange Solutions USA Inc. and/or its affiliates Affected Version(s): v7.2.1.2020, v7.2.2.2331 Tested Version(s): v7.2.1.2020, v7.2.2.2331 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Insufficiently Protected Credentials (CWE-522) Violation of Secure Design Principles (CWE-657) Risk Level: High Solution Status: Fixed Vendor Notification: 2014-07-10 Solution Date: 2015-04-30 Public Disclosure: 2015-04-30 CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The client management solution FrontRange Desktop & Server Management (DSM) stores and uses sensitive user credentials for required user accounts in an insecure manner which enables an attacker or malware with file system access to a managed client, for example with the privileges of a limited Windows domain user account, to recover the cleartext passwords. The recovered passwords can be used for privilege escalation attacks and for gaining unauthorized access to other client and/or server systems within the corporate network as at least one FrontRange DSM user account needs local administrative privileges on managed systems. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: FrontRange DSM stores passwords for different user accounts encrypted in two configuration files named NiCfgLcl.ncp and NiCfgSrv.ncp. These configuration files contain encrypted password information for different required FrontRange DSM user accounts (see [2]), for example * DSM Runtime Service * DSM Distribution Service * Business Logic Server (BLS) Authentication * Database account A limited Windows domain user has read access to these configuration files that are usually stored in the following locations: * %PROGRAMFILES(X86)\NetInst\NiCfgLcl.ncp (local on a managed client) * %PROGRAMFILES(X86)\NetInst\NiCfgSrv.ncp (local on a managed client) * \\\DSM$\NiCfgLcl.ncp (remote on a DSM network share) * \\\DSM$\NiCfgSrv.ncp (remote on a DSM network share) The passwords are encoded and encrypted using a hard-coded secret (cryptographic key) contained within the FrontRange DSM executable file NIInst32.exe. The software solution FrontRange DSM insufficiently protects sensitive user credentials and violates secure design principles as limited user accounts have read access to the stored password information, the passwords can be recovered as cleartext using a hard-coded cryptographic key, and due to the software design the passwords are also used in the context of a low-privileged user process (NIInst32.exe) which can be analyzed and controlled by an attacker or malware running in the same low-privileged user context. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The SySS GmbH developed a proof-of-concept software tool for recovering cleartext passwords stored within the FrontRange configuration files NiCfgLcl.ncp and NiCfgSrv.ncp. The following output exemplarily shows a successful password recovery: >fpd.exe k20A21A2EAE408E8A39GBDEF47DG93437F3E6G54D3CBA4282CE77A FrontRange DSM Password Decryptor v1.0 by Matthias Deeg - SySS GmbH (c) 2014 [+] Decrypted password: Three-Headed Monkey! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by FrontRange, the described security issues have been fixed in a new software release available on April 30, 2015. Please contact the vendor for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2014-07-10: Vulnerability reported to vendor 2014-07-15: Vendor acknowledges e-mail with SySS security advisory and asks for further information 2014-07-17: SySS talks about the security vulnerabilities with the vendor and about the timeline for remedying or mitigating the found security vulnerabilities. As agreed upon with the vendor, the publication date is rescheduled to a later date. 2014-10-07: Rescheduling of the publication date in agreement with the vendor 2015-03-23: Rescheduling of the publication date in agreement with the vendor 2015-04-30: Vendor releases fix for the described security vulnerabilities Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] FrontRange DSM Web site http://www.frontrange.com/heat/products/client-management [2] FrontRange DSM Getting Started Guide http://go.frontrange.com/rs/frontrange/images/DSM-Getting-Started-Guide.pdf [3] SySS Security Advisory SYSS-2014-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2014-007.txt [4] SySS Paper "Privilege Escalation via Client Management Software" https://www.syss.de/fileadmin/dokumente/Publikationen/2015/Privilege_Escalation_via_Client_Management_Software.pdf [5] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of the SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVQeKrAAoJENmkv2o0rU2rVWgP/2qmAh40OAQtJzlBkNegzISr 9UPy7wszA+UzE1DrL192JsKQq3rAON99yZl6QTWUabEg+ou/bfpY7kpXfAhJqpIV vshBokSgU1EuJ+4m8eyPZb80wopz/Jq2Z+yQs9sZl9Xag9pFuQdMjDMEMLjtMXiw k2uuvh6zc55IyPUn62tV1uOxWILq1nFEa36c/Yh1C4uyCYqFqNQmYyQ/YJKHMLdv Xrhke/kohsX7/hrXWxL10663T+2nk+r8RiIyK9b/Iq+mU9S49B3nkmGYTCW1jQsc ClJhFmC4Nnt+SbVjkv1X/nOYbrp2RRFrN12mvm9DujzHC8y9ylaWbh/I8DLJWEnz adKUrCt5g2teEcifpAdqdXh8/2caskNJ69G44ygxuSFb7P470J1auM0opZO2lGUV I12TfFZoE/bCxO2xegpDlwCxY3DCONlrQ6O2x96wsnW7vV+m2AL7o10lbx37C3lf ItTkNnC8sLaOBg7P79d6YFlKumPXddY35Y23xvUixLqWgfYyvbUmArQP0JYqU/Rb bnwVLe0Ldtqo6qRJZ6bIT858C5QF6fwwGHfqyVQJt83gs0IPwl2EgPi2bZOm2tdP IHW9KGlIc2CI+m97tn4TV2cMSN9VBR0XSpb3f1fashqdZEELh8S9sa0YceVkFTQE JqhGyyu4iSzWJvHYTZI3 =9v3p -----END PGP SIGNATURE-----