Ivanti Workspace Control Registry Stored Credentials

A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.


MD5 | 40fda4c2a16f2e00046340df84539054

------------------------------------------------------------------------
Stored credentials Ivanti Workspace Control can be retrieved from
Registry
------------------------------------------------------------------------
Yorick Koster, August 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A flaw was found in Workspace Control that allows a local unprivileged
user to retrieve the database or Relay server credentials from the
Windows Registry. These credentials are encrypted, however the
encryption that is used is reversible.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.700.1 & 10.2.950.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was resolved in Ivanti Workspace Control version 10.3.10.0.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180804/stored-credentials-ivanti-workspace-control-can-be-retrieved-from-registry.html

Workspace Control stores credentials for connecting to the Relay server(s) or database server(s) in the Registry. The credentials are protected using a custom encryption algorithm or, if FIPS mode is enabled, using AES encryption. The encryption algorithm can be retrieved using decompilation of the binaries - including the encryption key. When FIPS mode is enabled the key is derived from a value that is also stored in the Registry. The values are stored under the HKLM hive and can therefore not be changed by an unprivileged local user, they can however be read.

A local attacker can retrieve the encrypted credentials from the Registry and after that retrieve the plaintext password. With the password it will be possible to connect directly to the Relay and database servers. Most IT shops will use the same database password for managing the database and the Agents. With access to the database password it is often possible to change the database and thus compromise every Agent (workstation) that is connected to this database.

In some scenarios it is also possible to use these credentials to trick Agents into connecting to a rogue database containing a malicious configuration. When connected the Agent can be tricked into running attacker-supplied code, which will result in a full compromise of these Agents.

Related Posts