Skip to main content
Delphix

Masking Feature Exposes Database Passwords to Non Administrative Users (TB036)

 

Alert Type

Security

Impact 

When using the Delphix Masking Engine, a browser-based UI is used to administer and operate data masking. Users login to the browser-based UI using their Masking Engine account credentials.  Masking Engine accounts are either administrator accounts with unlimited privileges or non-administrator accounts with role based privileges. Masking Engine administrators define database connection credentials that allow the masking software to update databases with masked data. 

The Masking Engine UI itself does not show database or Masking Engine account credentials in clear text.  Once entered, a database or Masking Engine account password will be displayed as a sequence of asterisks. However, when using the UI, cleartext passwords may be stored in the user's browser cache and can be exposed by examining the HTML page source in the browser.

Although there might be an expectation that non-Administrative users do not have access to database credentials, such users could potentially gain access to database or non-Administrator Masking Engine account credentials through the aforementioned method of examining the local browser cache. 

Contributing Factors

The issue described only occurs when using the Delphix Masking Engine browser UI. This UI is available with the stand-alone Masking Product and in some versions of the Delphix Masking Engine. 

The problem can only occur in the following product releases:

  • Delphix Engine 5.0.1.0 and 5.0.1.1
  • Delphix Engine 5.0.2.0, 5.0.2.1, 5.0.2.2, and 5.0.2.3
  • Delphix Engine 5.0.3.0 and 5.0.3.1
  • Delphix Engine 5.0.4.0 and 5.0.4.1
  • Delphix Engine 5.0.5.0 and 5.0.5.1
  • Delphix Masking Engine 4.7.2 and 4.7.3 (stand-alone)
  • DMsuite version 3.x (stand-alone)
  • DMsuite version 4.x (stand-alone)

Exposure of passwords to less privileged users can only occur when there is a mix of Administrator and non-Administrator users in the Data Masking UI.   

Credentials are not exposed to unauthenticated users of the UI. 

Symptoms

Not applicable

Relief/Workaround

There is a partial workaround for this issue that resolves the ability for non-administrator users to access database credentials:

  1. Login to the Delphix Masking UI with credentials for a user with the Administrator role. 
  2. Navigate to Settings -> Roles in the Delphix Masking UI.
  3. Select "+ Add Roles" to create a new role in the application.
  4. Choose a new Role Name and select desired privileges in the role, but exclude all privileges in the Connection and User categories. 
  5. Select "Submit" to create the new role.
  6. Navigate to Admin -> Users  in the UI.
  7. For each user with non-Administrator role.
    1. Select the Edit icon for the user.
    2. Change the Role to the newly created role that excludes privileges for Connections and privileges for User
    3. Select Save to update the user.
  8. If there is a concern that database or Masking Engine account credentials may have been compromised due to this vulnerability, Delphix
    recommends changing the affected passwords. 

It's a best practice to use TLS security for the Delphix Masking Engine. This will prevent any cleartext data, including passwords, from transiting the network between the Delphix Engine and the web-based client UI. TLS security may have been enabled at product installation time, depending on local requirements. If TLS is not enabled and is required for your environment, please contact Delphix Support.

Resolution

The issue is fully resolved in Delphix Engine release 5.0.5.2 and newer. 

Additional Information

  • The susceptible portions of the Delphix Masking UI are the  Home->Environments -> Connector tab and the Admin->Users tab
  • By implementing the above workaround, UI users without the Administrator role will no longer be able to navigate to the susceptible portion of the interface. 
  • UI users with a role type of User, i.e. non-Administrator user, are further limited by an access control list that determines which environments each user can access. Under no circumstances can users access database credentials defined in environments for which they don't have defined access.

For additional information or questions please contact Delphix Customer Support by opening a case.