PT-2022-17530 · Igel · Igel Universal Management Suite

Nick Nam

Published

2022-06-09

Updated

2022-06-17

CVE-2022-25804

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions IGEL Universal Management Suite version 6.07.100

Description An issue was discovered in the IGEL Universal Management Suite (UMS) that allows an unprivileged local attacker to read encrypted database user and password values for the UMS superuser due to insecure permissions for the serverconfig registry key under JavaSoftPrefsdeigelrmconfig in HKEY LOCAL MACHINESOFTWARE.

Recommendations For IGEL Universal Management Suite version 6.07.100, consider restricting access to the serverconfig registry key to prevent unauthorized reading of the encrypted dbuser and dbpassword values. As a temporary workaround, review and adjust the permissions of the serverconfig registry key to ensure that only authorized users have access to it.

Exploit

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

CVE-2022-25804

Affected Products

Igel Universal Management Suite

PT-2022-17530 · Igel · Igel Universal Management Suite

CVE-2022-25804

Weakness Enumeration

Related Identifiers

Affected Products

References · 5