CVE-2021-3141 in Stealth
Summary
by MITRE • 03/18/2021
In Unisys Stealth (core) before 6.0.025.0, the Keycloak password is stored in a recoverable format that might be accessible by a local attacker, who could gain access to the Management Server and change the Stealth configuration.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/02/2021
The vulnerability identified as CVE-2021-3141 affects Unisys Stealth core software versions prior to 6.0.025.0, representing a critical security flaw in the authentication infrastructure that could enable local attackers to compromise the entire system. This vulnerability specifically targets the Keycloak password storage mechanism within the Stealth framework, creating an exploitable condition that undermines the security posture of organizations relying on this protection platform.
The technical flaw stems from the insecure storage of Keycloak passwords in a recoverable format that persists on the local filesystem. This design decision violates fundamental security principles outlined in CWE-312, which addresses the exposure of sensitive information through improper storage. The password storage mechanism fails to implement proper cryptographic protection, leaving credentials vulnerable to extraction by unauthorized local users who possess minimal system access privileges. The vulnerability creates a direct path for privilege escalation and unauthorized access to management interfaces.
The operational impact of this vulnerability extends beyond simple credential theft, as it provides attackers with the ability to access the Management Server and modify Stealth configuration parameters. This capability enables attackers to alter security policies, modify access controls, and potentially disable security features entirely. The compromise of the management interface represents a complete breakdown of the system's administrative security model, allowing attackers to manipulate the core protection mechanisms that are supposed to safeguard enterprise environments. This vulnerability directly aligns with ATT&CK technique T1566, which covers credential harvesting through various attack vectors including local system access.
Organizations utilizing Unisys Stealth software prior to version 6.0.025.0 face significant risk from this vulnerability, as local attackers with basic system access can exploit the insecure password storage to gain full administrative control. The attack surface is particularly concerning because it requires minimal privileges to exploit, making it accessible to users who might have legitimate access to the system for operational purposes but lack authorization to modify security configurations. The vulnerability creates a persistent backdoor that could remain undetected for extended periods while providing attackers with complete control over the system's security policies and enforcement mechanisms.
The recommended mitigation strategy involves immediate deployment of Unisys Stealth core version 6.0.025.0 or later, which includes proper cryptographic protection for Keycloak passwords and other sensitive configuration elements. Organizations should also implement additional monitoring for unauthorized access attempts to management interfaces and conduct thorough security audits of local system access controls. Security teams should review and enforce principle of least privilege access controls to minimize the potential impact of local system compromise, while also implementing file system integrity monitoring to detect unauthorized modifications to sensitive configuration files. The vulnerability demonstrates the critical importance of proper credential storage practices and highlights the need for regular security updates and patch management procedures to maintain effective defense in depth strategies.