Advisory ID: SYSS-2014-007 Product: FrontRange DSM Vendor: FrontRange Solutions USA Inc. and/or its affiliates Affected Version(s): v7.2.1.2020, v7.2.2.2331 Tested Version(s): v7.2.1.2020, v7.2.2.2331 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Insufficiently Protected Credentials (CWE-522) Violation of Secure Design Principles (CWE-657) Risk Level: High Solution Status: Fixed Vendor Notification: 2014-07-10 Solution Date: 2015-04-30 Public Disclosure: 2015-04-30 CVE Reference: Not yet assigned Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The client management solution FrontRange Desktop & Server Management (DSM) stores and uses sensitive user credentials for required user accounts in an insecure manner which enables an attacker or malware with file system access to a managed client, for example with the privileges of a limited Windows domain user account, to recover the cleartext passwords. The recovered passwords can be used for privilege escalation attacks and for gaining unauthorized access to other client and/or server systems within the corporate network as at least one FrontRange DSM user account needs local administrative privileges on managed systems. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: FrontRange DSM stores passwords for different user accounts encrypted in two configuration files named NiCfgLcl.ncp and NiCfgSrv.ncp. These configuration files contain encrypted password information for different required FrontRange DSM user accounts (see [2]), for example * DSM Runtime Service * DSM Distribution Service * Business Logic Server (BLS) Authentication * Database account A limited Windows domain user has read access to these configuration files that are usually stored in the following locations: * %PROGRAMFILES(X86)\NetInst\NiCfgLcl.ncp (local on a managed client) * %PROGRAMFILES(X86)\NetInst\NiCfgSrv.ncp (local on a managed client) * \\<FRONTRANGE SERVER>\DSM$\NiCfgLcl.ncp (remote on a DSM network share) * \\<FRONTRANGE SERVER>\DSM$\NiCfgSrv.ncp (remote on a DSM network share) The passwords are encoded and encrypted using a hard-coded secret (cryptographic key) contained within the FrontRange DSM executable file NIInst32.exe. The software solution FrontRange DSM insufficiently protects sensitive user credentials and violates secure design principles as limited user accounts have read access to the stored password information, the passwords can be recovered as cleartext using a hard-coded cryptographic key, and due to the software design the passwords are also used in the context of a low-privileged user process (NIInst32.exe) which can be analyzed and controlled by an attacker or malware running in the same low-privileged user context. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The SySS GmbH developed a proof-of-concept software tool for recovering cleartext passwords stored within the FrontRange configuration files NiCfgLcl.ncp and NiCfgSrv.ncp. The following output exemplarily shows a successful password recovery: fpd.exe k20A21A2EAE408E8A39GBDEF47DG93437F3E6G54D3CBA4282CE77A FrontRange DSM Password Decryptor v1.0 by Matthias Deeg <matthias.deeg () syss de> - SySS GmbH (c) 2014 [+] Decrypted password: Three-Headed Monkey! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to information by FrontRange, the described security issues have been fixed in a new software release available on April 30, 2015. Please contact the vendor for further information or support. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2014-07-10: Vulnerability reported to vendor 2014-07-15: Vendor acknowledges e-mail with SySS security advisory and asks for further information 2014-07-17: SySS talks about the security vulnerabilities with the vendor and about the timeline for remedying or mitigating the found security vulnerabilities. As agreed upon with the vendor, the publication date is rescheduled to a later date. 2014-10-07: Rescheduling of the publication date in agreement with the vendor 2015-03-23: Rescheduling of the publication date in agreement with the vendor 2015-04-30: Vendor releases fix for the described security vulnerabilities Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] FrontRange DSM Web site http://www.frontrange.com/heat/products/client-management [2] FrontRange DSM Getting Started Guide http://go.frontrange.com/rs/frontrange/images/DSM-Getting-Started-Guide.pdf [3] SySS Security Advisory SYSS-2014-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2014-007.txt [4] SySS Paper "Privilege Escalation via Client Management Software" https://www.syss.de/fileadmin/dokumente/Publikationen/2015/Privilege_Escalation_via_Client_Management_Software.pdf [5] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of the SySS GmbH.