SSOAgent secrets in logs

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2022-001 CVE-2022-22703 11/03/2021 medium v1

Vulnerability details

After installing SSOAgent, installation log file contains PSK and user password in plain text.

Impacted products

ProductsSeverityDetail
SSO Agent medium SSO Agent Impacted

Revisions

Version Date Description
v1  01/17/2022 Initial release


SSO Agent

CVSS v3.1 Overall Score: 6.8      

Analysis

Impacted version

This vulnerability is only present on SSO Agent on Windows OS with .exe installation file (not .msi)

In versions below 2.1.0, logging is enabled by default.

In versions above 3.0.0, logging is disabled by default but can be enabled by command line argument.

The generated “install” log file contains PSK and user password in plain text.

Workaround solution

Solution

Delete the “install” log file in the same directory where the installer file was executed.

The following versions fix this vulnerability:

  • 2.1.1
  • 3.0.2


Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local Low Low None Unchanged High High High
CVSS Base score: 7.8 CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 6.8 CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
High High High
CVSS Environmental score: 6.8 CVSS Vector: (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)