Advisory

Yorick Koster, August 2018

Stored credentials Ivanti Workspace Control can be retrieved from Registry

Abstract

A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible.

See also

CVE-2018-15593
DOC-69693 - A locally authenticated user with low privileges can decrypt encrypted password by leveraging an unspecified attack vector

Tested versions

This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 & 10.2.950.0.

Fix

This issue was resolved in Ivanti Workspace Control version 10.3.10.0.

Introduction

Ivanti Workspace Control (formerly known as RES ONE Workspace) is a User Environment Management solution. An Agent is installed on systems that are managed with Workspace Control. This agent will retrieve its configuration from a database server or more commonly a so-called Relay server. The credentials that are used to connect to these servers are stored encrypted in the Windows Registry. The encryption that is used is however reversible and can therefore be retrieved by any local user.

Details

Workspace Control stores credentials for connecting to the Relay server(s) or database server(s) in the Registry. The credentials are protected using a custom encryption algorithm or, if FIPS mode is enabled, using AES encryption. The encryption algorithm can be retrieved using decompilation of the binaries - including the encryption key. When FIPS mode is enabled the key is derived from a value that is also stored in the Registry. The values are stored under the HKLM hive and can therefore not be changed by an unprivileged local user, they can however be read.

A local attacker can retrieve the encrypted credentials from the Registry and after that retrieve the plaintext password. With the password it will be possible to connect directly to the Relay and database servers. Most IT shops will use the same database password for managing the database and the Agents. With access to the database password it is often possible to change the database and thus compromise every Agent (workstation) that is connected to this database.

In some scenarios it is also possible to use these credentials to trick Agents into connecting to a rogue database containing a malicious configuration. When connected the Agent can be tricked into running attacker-supplied code, which will result in a full compromise of these Agents.

Work with us →