############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Thales SafeNet: Windows Logon Agent - 3.4.0.1060 [1] # Vendor: Thales [2] # CSNC ID: CSNC-2021-016 # CVE ID: CVE-2021-42138 [3] # Subject: Hardcoded Credentials # Risk: High # Effect: Locally exploitable # Author: Philipp Mao # Date: 5.1.2022 # ############################################################# Introduction: ------------- Thales SafeNet for windows allows users to login to their windows workstation without entering a password, only using a second factor. The windows logon agent uses DPAPI with a static entropy to encrypt user passwords. Users on the machine are able to decrypt these passwords. Affected: --------- Windows Logon Agent < 3.4.4 Technical Description --------------------- The Windows Logon Agent stores DPAPI encrypted user passwords in a file to enable offline passwordless MFA login. This file is readable by all users on the machine. The DPAPI encryption is done with additional entropy and with the DataProtectionScope LocalMachine. The entropy however is hardcoded into the executable. This means that any user on the machine can decrypt all passwords stored in this file, including the passwords of other users. Workaround / Fix: ----------------- Update to Windows Logon Agent version 3.4.4. Timeline: --------- 2021-09-15: Discovery by Philipp Mao 2021-09-17: Initial vendor notification/response 2021-11-17: Fixed version released 2021-12-21: CVE publication References: ----------- [1] https://cpl.thalesgroup.com/access-management/safenet-trusted-access [2] https://cpl.thalesgroup.com/ [3] https://www.cve.org/CVERecord?id=CVE-2021-42138