Ivanti Workspace Control Registry Stored Credentials

Credit: Yorick Koster
Risk: Medium
Local: Yes
Remote: No

------------------------------------------------------------------------ Stored credentials Ivanti Workspace Control can be retrieved from Registry ------------------------------------------------------------------------ Yorick Koster, August 2018 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 & 10.2.950.0. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue was resolved in Ivanti Workspace Control version ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20180804/stored-credentials-ivanti-workspace-control-can-be-retrieved-from-registry.html Workspace Control stores credentials for connecting to the Relay server(s) or database server(s) in the Registry. The credentials are protected using a custom encryption algorithm or, if FIPS mode is enabled, using AES encryption. The encryption algorithm can be retrieved using decompilation of the binaries - including the encryption key. When FIPS mode is enabled the key is derived from a value that is also stored in the Registry. The values are stored under the HKLM hive and can therefore not be changed by an unprivileged local user, they can however be read. A local attacker can retrieve the encrypted credentials from the Registry and after that retrieve the plaintext password. With the password it will be possible to connect directly to the Relay and database servers. Most IT shops will use the same database password for managing the database and the Agents. With access to the database password it is often possible to change the database and thus compromise every Agent (workstation) that is connected to this database. In some scenarios it is also possible to use these credentials to trick Agents into connecting to a rogue database containing a malicious configuration. When connected the Agent can be tricked into running attacker-supplied code, which will result in a full compromise of these Agents.



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com


Back to Top