Skip to main content
Delphix

TB052 Vulnerability When Masking Excel and XML Files Via SFTP or FTP

 

Alert Type

Security 

Severity Level: High 

CVSS Score: 7.9 based on

Attack Vector (AV): Local

Attack Complexity (AC): Low

Privileges Required (PR): High

User Interaction (UI): None

Scope (S): Changed

Confidentiality (C): High

Integrity (I): High

Availability (A): None

Affected Software

The issue affects the following Delphix Releases with Masking service enabled where Excel documents are masked over SFTP or FTP using password-based authentication (rather than an SSH Key):

  • Delphix Engine 5.2.2.0

  • Delphix Engine 5.2.2.1

  • Delphix Engine 5.2.3.0

  • Delphix Engine 5.2.3.1

  • Delphix Engine 5.2.4.0

  • Delphix Engine 5.2.5.0

  • Delphix Engine 5.2.5.1

  • Delphix Engine 5.2.6.0

  • Delphix Engine 5.2.6.1

  • Delphix Engine 5.2.6.2

  • Delphix Engine 5.2.5.1

  • Delphix Engine 5.3.0.0

  • Delphix Engine 5.3.0.1

  • Delphix Engine 5.3.0.2

  • Delphix Engine 5.3.0.3

Description

This vulnerability impacts Delphix Masking customers who are accessing Excel or XML documents over either (a) FTP or (b) SFTP using password-based authentication (rather than an SSH Key). The Masking Engine's log files may contain messages with cleartext passwords for Excel or XML SFTP and FTP connectors. These messages may be written to the debug.log, error.log, info.log, user.log, warn.log or the job logs, depending on the exact scenario. The debug.log, error.log, user.log, and warn.log files can only be accessed via an OS login to the masking engine, which is not possible by customers. The user.log and a job log is accessed through the Masking GUI.

Impact

Username and password are shown in clear text in application log files for masking jobs accessing Excel or XML documents over either (a) FTP or (b) SFTP using password-based authentication (rather than an SSH Key).

Relief/Workaround

  • Delphix highly recommends changing all passwords for accounts that were subject to this vulnerability.

  • Customers should run Excel and/or XML file masking jobs using SFTP connection mode using Public Key Authentication to avoid clear text password in the application debug.log files.

Resolution

This issue will been fully resolved in a future Delphix Engine release.

Additional Information

Support Bundles collected on affected versions will contain the affected log debug.log files and therefore should be protected when stored or transmitted. Delphix has implemented an automated process to remove these passwords during the upload process. In addition to this, all previously uploaded support bundles have been scrubbed to remove information