Skip to main content
Delphix

TB047 Masking Engine Export Data Includes Database, FTP and SFTP Connector Passwords In Clear Text

 

 

Alert Type

Security
Security Level: High
CVSS Score: 8.4 based on


Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Affected Software

The issue affects the following Delphix Releases:

Delphix Engine (Masking service enabled) 5.2.5.0 and 5.2.5.1
Delphix Engine (Masking service enabled) 5.2.4.0
Delphix Engine (Masking service enabled) 5.2.3.0 and 5.2.3.1
Delphix Engine (Masking service enabled) 5.2.2.0 and 5.2.2.1
Delphix Engine (Masking service enabled) 5.1.10.0
Delphix Engine (Masking service enabled) 5.1.9.0
Delphix Engine (Masking service enabled) 5.1.8.0 and 5.1.8.1
Delphix Engine (Masking service enabled) 5.1.7.0
Delphix Engine (Masking service enabled) 5.1.6.0
Delphix Engine (Masking service enabled) 5.1.5.0 and 5.1.5.1
Delphix Engine (Masking service enabled) 5.1.4.0
Delphix Engine (Masking service enabled) 5.1.3.0 and 5.1.3.1
Delphix Engine (Masking service enabled) 5.1.2.0
Delphix Engine (Masking service enabled) 5.0.5.0 and 5.0.5.1
Delphix Engine (Masking service enabled) 5.0.4.0 and 5.0.4.1
Delphix Engine (Masking service enabled) 5.0.3.0 and 5.0.3.1
Delphix Engine (Masking service enabled) 5.0.2.0, 5.0.2.1, 5.0.2.2, and 5.0.2.3
Delphix Engine (Masking service enabled) 5.0.1.0 and 5.0.1.1
Delphix Masking Engine 4.7.2 and 4.7.3 (stand-alone)
DMsuite version 4.x (stand-alone)
DMsuite version 3.x (stand-alone)

Impact

This vulnerability can only be triggered by a Masking Environment User who has been given export environment privileges. Only Delphix Engines which are actively being used for Masking are affected by this vulnerability.

In the affected software releases, an Environment User with export environment privileges can export environment details, and that exported data includes the database, file FTP and SFTP connector passwords in clear text. While the Export Environment feature was originally designed to include passwords in the export package for ease of use during import process, Delphix has decided to change the functional design to no longer include passwords in the export package. Users who choose to use the Export/Import Environment functionality will have to re-enter passwords before import.

This vulnerability might expose sensitive data stored or processed by the Masking Engine. For this reason, Delphix highly recommends changing database connector, file connector, and Masking Engine account credentials which may have been compromised due to this vulnerability. It’s a best practice to not share login credentials amongst multiple platforms. If you have passwords shared between a susceptible Delphix Masking Engine and other systems, please be sure to update all such passwords.

Delphix is not aware of any instances of this vulnerability being exploited.

Symptoms

None

Relief/Workaround

Disable the environment export privilege for all users, which will limit the ability to export environment data to administrative users only.

Resolution

The issue is fully resolved in Delphix 5.2.6.0.