Vulnerability Disclosure -Sensitive Info. Leakage : Logs containing DB Pasword @ Zoho R.A.P.
Status: Fixed (As on 27-Aug-2021)
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 (High Severity)
Fixed version: 10.1.2121.1 (Change log)
Impacted Component: Remote Access Plus (RAP) Server (Desktop App)
Vulnerability Description: It was observed that postgresql logs contains multiple sensitive information, within that logs -queries were found with DB password for dcuser. dcuser has unrestricted permission for all SQL Queries, making all operations possible by attacker who has the credentials now.
Impact rational: Having unrestricted DB access, means complete control over the enterprise systems (as the solution offers remote administration for all systems of the enterprise). Moreover, you get all features unrestricted access of the web interface since user authentication would happen via DB queries.
Exploitability rational:
Person needs system access where the application is installed. It was noticed that this password could be randomly generated upon installation (determined by installing in 2 systems and 2 different password were found) due to which the severity might be lowered from critical. However the log file has full control for all users, which makes it easier to steal this from logs (even without this vulnerability, logs should not contain such sensitive piece of info in general). Moreover the psql binary can be used by non-admin from same system to fetch db contents.
Supportive Evidence:
Recommendation:
- Avoid logging any sensitive information
- Preventing file access to non-admin/allowing to predefined users based on file content.
