TB052 Vulnerability When Masking Excel and XML Files Via SFTP or FTP
Alert Type
Security
Severity Level: High
CVSS Score: 7.9 based on
Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): None
Affected Software
The issue affects the following Delphix Releases with Masking service enabled where Excel documents are masked over SFTP or FTP using password-based authentication (rather than an SSH Key):
Major Release |
All Sub Releases |
5.3 |
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3 |
5.2 | 5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.3.1, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1, 5.2.6.2 |
Description
This vulnerability impacts Delphix Masking customers who are accessing Excel or XML documents over either (a) FTP or (b) SFTP using password-based authentication (rather than an SSH Key). The Masking Engine's log files may contain messages with cleartext passwords for Excel or XML SFTP and FTP connectors. These messages may be written to the debug.log, error.log, info.log, user.log, warn.log or the job logs, depending on the exact scenario. The debug.log, error.log, user.log, and warn.log files can only be accessed via an OS login to the masking engine, which is not possible by customers. The user.log and a job log is accessed through the Masking GUI.
Impact
Username and password are shown in clear text in application log files for masking jobs accessing Excel or XML documents over either (a) FTP or (b) SFTP using password-based authentication (rather than an SSH Key).
Relief/Workaround
-
Delphix highly recommends changing all passwords for accounts that were subject to this vulnerability.
-
Customers should run Excel and/or XML file masking jobs using SFTP connection mode using Public Key Authentication to avoid clear text password in the application debug.log files.
Resolution
This issue is fully resolved in Delphix release 5.3.2.0.
Additional Information
Support Bundles collected on affected versions will contain the affected log debug.log files and therefore should be protected when stored or transmitted. Delphix has implemented an automated process to remove these passwords during the upload process. In addition to this, all previously uploaded support bundles have been scrubbed to remove information