Symantec Privileged Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

PAM - Service TCP/UPD secure configuration

  • 1.  PAM - Service TCP/UPD secure configuration

    Posted Feb 28, 2020 06:27 AM
    Dear all,
    I started to test configuration/customization of TCP/UDP Service in PAM (tested in 3.2.5 and 3.3.1).

    During my test I notice a possible security leak and I would like to know if there is something that is not correct in my customization and that allow this security problem.

    I tried, for example, to configure PUTTY as service TCP/UDP:



    with the following Client Application string:

    "C:\Program Files\PuTTY\putty.exe" -ssh capam@<Local IP> <First Port> -pw <password> -l <username>

    and tried also

    "C:\Program Files\PuTTY\putty.exe" -ssh <username>@<Local IP> <First Port> -pw <password>


    The connection works without problem, but if I checked the task manager, I can see the plain text string

    I can see this behavior with different 3rd party tool.

    Is it a limitation due 3rd party tool behavior? And if so, why the username is not in plain text but the password is?
    Or there is something that I miss during the configuration that I never notice before?

    Thanks for your support.

    Regards,
    Andrea Gimmelli


  • 2.  RE: PAM - Service TCP/UPD secure configuration

    Broadcom Employee
    Posted Feb 28, 2020 07:37 AM
    Edited by Andreas Mueller Feb 28, 2020 07:59 AM

    Hello Andrea,

     

    Indeed a major issue you discovered here !!

     

    I can reproduce it in my lab – I suggest you open a formal Support Case with us and we will take it from there with the Sustaining Engineering Team to see if this can be addressed - at least the behavior should be documented to correctly set the user's expectations.

    To mitigate the risk from exploiting this vulnerability, I suggest to not use a static password - instead use a synchronized account with a PVP which has Exclusive Checkout on Auto Connect and Change Password on Auto Connect.

     

    Regards,

    Andreas

     




    Original Message


  • 3.  RE: PAM - Service TCP/UPD secure configuration

    Posted Feb 28, 2020 08:54 AM
    Hi Andrea and Andreas

    I understand that a similar error was fixed in version 3.2.2

    You could verify the information about this release
    Original Message


  • 4.  RE: PAM - Service TCP/UPD secure configuration

    Posted Feb 28, 2020 09:03 AM
    Hello Julian,
    In order to verify this behavior I tested the issue in release 3.2.5 and 3.3.1.




    Can you please provide me the link of the manual about this information?
    Are there some procedure to perform manually in order to resolve this leak?
    Original Message


  • 5.  RE: PAM - Service TCP/UPD secure configuration

    Posted Feb 28, 2020 09:23 AM
    Hi Andrea

    This link list the resolved issues for 3.3.1, see DE426455 and DE441428 defects

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/Resolved-Issues-in-3_3_2.html

    And this for the version 3.2.7, see DE426878 defect

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-2-7/release-information/resolved-issues-in-3-2-7.html

    Original Message


  • 6.  RE: PAM - Service TCP/UPD secure configuration

    Posted Feb 28, 2020 09:43 AM
    Thanks for the link Julian,
    The DE refer to:

    DE441428 -> When using an A2A Client to retrieve large amounts of account passwords (in batches) password retrieval intermittently fails with 401 errors.

    DE426455 ->     Privileged Access Manager sending usernames and passwords in plain text through the Windows Remote target connector.

    My case is not chained with A2A or connector (in the specific case Windows Remote) but with the use of Service TCP/UDP to start 3rd party tool in the workstation of the user.

    I will try in any case to update PAM to 3.3.2 and check if the issue persist.

    Regards,

    Andrea Gimmelli
    Original Message


  • 7.  RE: PAM - Service TCP/UPD secure configuration
    Best Answer

    Broadcom Employee
    Posted Feb 28, 2020 09:59 AM
    Hello Andrea,
    There is no need to provide the password as an argument to PuTTY. The PAM SSH proxy is capable of inserting the password when the target device prompts for it. And our online documentation clearly warns you about using the <password> token as an explicit argument, see the following paragraph on page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/set-up-access-to-a-target-device/create-tcp-udp-services-to-access-a-device.html:

    The <Password> variable poses a security risk. It exposes the password to the client, which might log it or might expose it as an argument. When the user connects, a "View Credential" link is shown. You can mitigate this risk by configuring the   with the 
    Change Password On View
     option.
    Original Message


  • 8.  RE: PAM - Service TCP/UPD secure configuration

    Posted Feb 28, 2020 12:49 PM
    Dear Ralf,
    Thanks for the explanation.
    I didn't notice that but I'm still a bit confuse, because the put <Password> warning and then the "View Credential" behavior and seems correlated.

    Anyway, if I understand correctly, the service TCP/UDP can be created without insert the parameter password for all the tools that use command line as Putty, MobaXTerm. because it recognized the request's output "Password:" and insert automatically the password.
    Vice versa, if I want to use, let's say, a graphic tool as WinSCP, MSSQL studio, etc... I need to:
    - insert this parameters Password (with the security risk noticed)
    or
    - allow the view credential with "change password on view password" behavior in order to insert manually the password (but also this is a mitigation of risk)
    or
    - Use RemoteApp configuration

    Is that correct?

    Thanks again for your precious support.

    Regards,
    Andrea Gimmelli
    Original Message


  • 9.  RE: PAM - Service TCP/UPD secure configuration

    Broadcom Employee
    Posted Feb 28, 2020 12:57 PM
    Yes, that's correct.
    Original Message