[midPoint] Security Advisory: Plain text password in temporary files

Radovan Semancik radovan.semancik at evolveum.com
Mon May 13 11:31:29 CEST 2019 

Date: 13 May 2019
Severity: Low (CVSS 0.1-3.9)
Affected versions: all released midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 
(unreleased), 3.7.2 (unreleased), 3.6.2 (unreleased)

Description

Plaintext password is sometimes left stored in temporary files on a file 
system.

Severity and Impact

Plaintext password used in HTML forms is stored to temporary files by 
Tomcat instance embedded in midPoint. Those files are usually handled 
properly and deleted immediately. However, on some platforms (notably 
Microsoft Windows) those files are not deleted. Therefore the plaintext 
password may remain stored in the files.

Privileged access to the host running midPoint instance is required to 
exploit this vulnerability. However, such privileged access usually 
means that cleartext password can be obtained by a number of other 
methods. Hence the low severity of this issue.

Mitigation

MidPoint users are advised to upgrade their deployments to the latest 
builds from the support branches, especially users running midPoint in 
Windows environment. This issues was not reproduced in Linux environment.

As this is a low severity issue, it is not forcing official maintenance 
releases of midPoint. However, the fix is provided in all the support 
branches.

Discussion and Explanation

MidPoint, similar to many web applications, is using HTML forms to 
interact with the user. This includes operations that deal with user 
password, such as logging into midPoint, changing user's password and so 
on. MidPoint contains an embedded instance Apache Tomcat, which acts as 
a web server (container) for midPoint. Apache Tomcat is storing HTML 
form data in temporary files. Tomcat is supposed to delete those files, 
which works well on most platforms. But there is an issue with deleting 
files in Windows environment, which is a very likely cause for this 
issue. Another set of temporary files are maintained by Apache Wicket 
framework. It is not clear whether those files suffer from the same 
deletion problem as Tomcat files, however, cleartext password in 
affected midPoint versions might be stored also in those files.

MidPoint code was fixed to set up embedded Tomcat in such a way, that 
only a very large HTML forms will be stored on disk. MidPoint code was 
also changed to avoid storing password in Wicket temporary files. Those 
fixes are supposed to resolve the root cause of this issue, because 
passwords should not get stored in any temporary file as well.

Credit

This issue was reported by PrinceNullByte by the means of EU-Free and 
Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Plain+text+password+in+temporary+files

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list