Skip to content

Leak of sensitive information (AD domain, username and password)

Critical
darksidemilk published GHSA-456c-4gw3-c9xw Aug 2, 2024

Package

No package listed

Affected versions

1.5.10.41

Patched versions

>=1.5.10.41.3,>=1.6.0-beta.1395

Description

Summary

FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer

Details

FOS when registering a new computer manually, dosent check if the username/password used for tasking "download image".

PoC

Download this file : https://alexandre.botzung.fr/poc_FOG_E9XJUHi93f.sh, chmod +x it and
lauches with : ./poc_FOG_E9XJUHi93f.sh "http://<FOG_IP>/fog/"
Result should like :

username@localhost:~$ ./poc_FOG.sh "https://192.168.0.138/fog/"
PoC launched, FOG server is https://192.168.0.138/fog/
1.) Search for an existing image present on the server...
   -> Image found "Win10_x64_v2", ID : 1
2.) Create a new computer in the database, with MAC+Name:01:CA:FE:AC:AA:65 ...
   -> Done, with imaging!
3.) Scrape AD parameters...
  - Try legacy method (#1)

 ----- AD parameters for FOG Server https://192.168.0.138/fog/ :
Domain   : 'MY-DOMAINE'
Username : 'usr-fog-ad'
Password : 'MyPass(w0rd.exe)!'

Impact

All unauthenticated user is capable to execute this PoC and recover AD username and password.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CVE ID

CVE-2024-42348

Weaknesses

Credits