7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.003 Low
EPSS
Percentile
71.5%
Baramundi Management Suite versions 7.5 to 8.9 contains multiple vulnerabilities related to clear-text credential storage and transmission.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-3593
Baramundi Mangement Suite versions 7.5 to 8.9 transfers data in cleartext between the server and clients, and stores data in cleartext.
CWE-312: Cleartext Storage of Sensitive Information - CVE-2013-3624
When Baramundi Management Suite versions 7.5 to 8.9 is used for OS deployment, it stores the credentials in an unencrypted form on the deployed systems.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-3625
Baramundi Management Suite versions 7.5 to 8.9 utilizes a hard-coded encryption key stored in a dll file.
The CVSS score below applies to CVE-2013-3593.
07/15/2015 Vendor Comment:
With Baramundi Management Suite version 2015 R1 further improvements have been made to close existing problems noted in VU#392654. Therefore, we recommend updating to the latest release version 2015 R1.
Addressing issues noted in βCWE-319: Cleartext Transmission of Sensitive Informationβ, sensitive information stored on disc has been removed or, if that was not possible, the files have been encrypted with industrial standard encryption methods. In addition, access to sensitive data on disc has been further limited to authorized user accounts.
In order to resolve problems noted in βCWE-321: Use of Hard-coded Cryptographic Keyβ, the communication has been altered to industrial standard (SSL/TLS with mutual authentication using client-server certificates) and the offline storage on disc has encrypted as stated in the paragraph above. Due to this change, data (still) encrypted with the hard-coded key can no longer be accessed.
Since the software is used as an operating system deployment solution, it must have administrative rights to operate. As such, there are several impacts:
Privilege Escalation
* Administrative privileges can be obtained on any local machine that was installed via Baramundi Management Suite.
* Administrative privileges in Microsoft Active Directory can potentially be obtained.
Credential Theft
* Credentials may be obtained by sniffing the traffic on the network.
Apply an Update
Baramundi Management Suite 2014 addresses CVE-2013-3593 and CVE-2013-3624. While a public download is not available, baramundi software AG requests that customers contact technical support.
Encrypt network traffic
Use layer 3 encryption between clients and servers to prevent sniffing attacks.
392654
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 30, 2013 Updated: July 24, 2015
Affected
Overview
Baramundi Management Suite versions 7.5 to 8.9 contains multiple
vulnerabilities related to clear-text credential storage and transmission.
07/15/2015 Updated Vendor comment:
With baramundi Management Suite version 2015 R1 further improvements have been
made to close existing problems noted in VU#392654. Therefore, we recommend
updating to the latest release version 2015 R1.
Addressing issues noted in βCWE-319: Cleartext Transmission of Sensitive
Informationβ, sensitive information stored on disc has been removed or, if
that was not possible, the files have been encrypted with industrial standard
encryption methods. In addition, access to sensitive data on disc has been
further limited to authorized user accounts.
In order to resolve problems noted in βCWE-321: Use of Hard-coded Cryptographic
Keyβ, the communication has been altered to industrial standard (SSL/TLS with
mutual authentication using client-server certificates) and the offline storage
on disc has encrypted as stated in the paragraph above. Due to this change,
data (still) encrypted with the hard-coded key can no longer be accessed.
Prior Comment:
All three reported observations are correct and legitimate. baramundi is going
to continually improve in these areas and provides more specific details for
these issues enclosed.
We have identified two concrete issues with need for immediate action and have
addressed and improved these with the new baramundi management suite 2014
(short: bMS 2014).
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2013-3593
Baramundi Management Suite versions 7.5 to 8.9 transfers data in clear text
between the server and clients, and stores data in clear text.
Vendor comment: Due to a protocol problem when negotiating communication
channels one side of the communication could be set up unencrypted. bMS 2014
resolves this problem. There are no clear text transfers in this main
communication channels any more. In addition the server only accepts encrypted
client connections. This change has been implemented compatibly, i.e. even with
older agent versions the main communication channel is secured. This
improvement also has been implemented for the communication with the agent used
with Windows PE for OS installation. This also improves security while
installing operating systems.
CWE-312: Clear text Storage of Sensitive Information - CVE-2013-3624
When Baramundi Management Suite versions 7.5 to 8.9 is used for OS deployment,
it stores the credentials in an unencrypted form on the deployed systems.
Vendor comment: This affects the files to configure the OS installation.Γ
Depending on the chosen method to join domains, the administrator credentials
can reside in clear text (cf. Microsoft standard methods,
<http://technet.microsoft.com/en-us/library/cc730845(v=ws.10).aspx#BKMK_3>).
In the installed system this is part of the Microsoft process to automatically
deploy systems. bMS 2014 warns the administrator, if choosing an unsecured
method. Access rights regarding OS installation have been further restricted on
server side.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-3625
Baramundi Management Suite versions 7.5 to 8.9 utilizes a hard-coded encryption
key stored in a dll file.
Vendor comment: Yes, this is the way it is currently implemented. baramundi
will provide continuous improvements in this field. The mobile device
management module already uses a certificate based process.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.8 | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Temporal | 6.3 | E:F/RL:W/RC:UC |
Environmental | 1.6 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
<http://www.baramundi.com/products/management-suite/overview/>
Thanks to Damir Bozic for reporting this vulnerability.
This document was written by Chris King.
CVE IDs: | CVE-2013-3593, CVE-2013-3624, CVE-2013-3625 |
---|---|
Date Public: | 2013-10-01 Date First Published: |