Assigning CNA: Mitre
CVSS:3.1:8.4
MITRE CVE-2023-35833
Initial Reporter: This vulnerability was responsibly reported to Y Soft by Wouter Arts and Geert Braakhekke from WTH Security BV. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35833
Affected Versions: All YSoft SAFEQ 6 Server versions 6.0.81 and lower.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality: High
Integrity: High
Availability: High
Exploit Code Maturity: Functional exploit exists
Remediation Level: Official fix
Report Confidence: Confirmed
An issue was discovered in YSoft SAFEQ 6 Server. When modifying the URL of the LDAP server configuration from LDAPS to LDAP, the system does not require the password to be (re)entered. This results in exposing cleartext credentials when connecting to a rogue LDAP server.
The nature of the attack is detailed below.
It's crucial to note that any admin using LDAP instead of LDAPS would inadvertently leak user information to the network. We strongly advise customers to refrain from using LDAP if they wish to maintain a secure environment. SAFEQ only needs READ permissions on the access account, so any of those user accounts can be used for the same attack.
The nature of the bugfix is that we now delete the password from the UI when we change from LDAPS to LDAP. However, it is important to acknowledge that the bugfix alone may not prevent an attacker from sniffing out user information if they manage to force the admin to connect to their rogue LDAP.
Our recommendation to ensure your system's security is to update to the latest available build (Build 82 and newer), where this issue has already been resolved.
This webpage uses cookies
Cookies enable us to tailor our services to your specific needs and help our website function better. Information
Required cookies help the website to function so that it allows basic functionality such as site navigation and access to secured sections of the website. The website will not function correctly without these cookies.
Analytical cookies allow us to monitor aggregated information on site traffic and the usage of various functions. This helps us to improve our website. Analytical cookies are set up by third parties.
Advertising Cookies
Advertising cookies are used to monitor website visitors. The aim is to display an advertisement which is relevant and interesting to an individual user and thereby more valuable to publishers and third party advertisers.
Stay up to date with the latest industry news.