CVE-2019-13023 in Bond JetSelect
Summary
by MITRE
An issue was discovered in all versions of Bond JetSelect. Within the JetSelect Application, the web interface hides RADIUS secrets, WPA passwords, and SNMP strings from 'non administrative' users using HTML 'password field' obfuscation. By using Developer tools or similar, it is possible to change the obfuscation so that the credentials are visible.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/15/2020
The vulnerability identified as CVE-2019-13023 represents a critical security flaw in Bond JetSelect software versions, where sensitive network credentials are improperly protected through client-side obfuscation techniques. This issue affects the web interface of the JetSelect Application which is designed to manage network configurations and device access credentials. The implementation fails to provide adequate server-side protection for confidential information, relying instead on HTML password field masking as a security control that can be easily bypassed by technical users.
The technical flaw stems from the application's improper handling of sensitive credential data within its web interface. Specifically, RADIUS secrets, WPA passwords, and SNMP strings are stored in HTML password fields that only provide visual obfuscation rather than actual cryptographic protection. This approach violates fundamental security principles as it assumes that client-side masking provides sufficient protection against unauthorized access. The vulnerability is categorized under CWE-200, which addresses information exposure, and demonstrates a clear failure in implementing proper access controls and credential management practices.
The operational impact of this vulnerability is significant as it allows any user with access to the web interface to potentially view sensitive network credentials through simple manipulation of browser developer tools. This bypass mechanism enables non-administrative users to gain unauthorized access to critical network infrastructure components, potentially leading to complete network compromise. Attackers can exploit this weakness to obtain credentials for network authentication systems, wireless access points, and monitoring systems, which could facilitate lateral movement, data exfiltration, and persistent access to target environments.
Security professionals should consider this vulnerability in the context of ATT&CK framework category T1552, which covers "Unsecured Credentials" and T1078, which addresses "Valid Accounts." The flaw essentially undermines the principle of least privilege by providing unauthorized access to administrative credentials through client-side manipulation. Organizations should implement immediate mitigations including disabling or removing the web interface functionality that exposes these credentials, implementing proper server-side access controls, and ensuring that sensitive information is never transmitted in cleartext or visually obfuscated form. Additionally, network segmentation, multi-factor authentication, and regular security audits should be employed to reduce the attack surface and detect potential exploitation attempts.