Security Advisory: Plain text password in temporary files
Date: 13 May 2019
Severity: Low (CVSS 0.1-3.9)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)
Description
Plaintext password is sometimes left stored in temporary files on a file system.
Severity and Impact
Plaintext password used in HTML forms is stored to temporary files by Tomcat instance embedded in midPoint. Those files are usually handled properly and deleted immediately. However, on some platforms (notably Microsoft Windows) those files are not deleted. Therefore the plaintext password may remain stored in the files.
Privileged access to the host running midPoint instance is required to exploit this vulnerability. However, such privileged access usually means that cleartext password can be obtained by a number of other methods. Hence the low severity of this issue.
Mitigation
MidPoint users are advised to upgrade their deployments to the latest builds from the support branches, especially users running midPoint in Windows environment. This issues was not reproduced in Linux environment.
As this is a low severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.
Discussion and Explanation
MidPoint, similar to many web applications, is using HTML forms to interact with the user. This includes operations that deal with user password, such as logging into midPoint, changing user’s password and so on. MidPoint contains an embedded instance Apache Tomcat, which acts as a web server (container) for midPoint. Apache Tomcat is storing HTML form data in temporary files. Tomcat is supposed to delete those files, which works well on most platforms. But there is an issue with deleting files in Windows environment, which is a very likely cause for this issue. Another set of temporary files are maintained by Apache Wicket framework. It is not clear whether those files suffer from the same deletion problem as Tomcat files, however, cleartext password in affected midPoint versions might be stored also in those files.
MidPoint code was fixed to set up embedded Tomcat in such a way, that only a very large HTML forms will be stored on disk. MidPoint code was also changed to avoid storing password in Wicket temporary files. Those fixes are supposed to resolve the root cause of this issue, because passwords should not get stored in any temporary file as well.
Credit
This issue was reported by PrinceNullByte by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.