CVE-2022-22703 in SSO Agent
Summary
by MITRE • 01/18/2022
In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cleartext user password and PSK are contained in the log file of the .exe installer.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/20/2022
The vulnerability identified as CVE-2022-22703 affects Stormshield Single Sign-On Agent versions 2.x prior to 2.1.1 and 3.x prior to 3.0.2, representing a critical security flaw in the software installation process. This issue stems from improper handling of sensitive authentication data during the installation phase, where plaintext credentials are inadvertently written to log files generated by the executable installer. The exposure occurs at a fundamental level where security-sensitive information flows through the system without adequate protection mechanisms.
The technical flaw manifests as a clear text credential exposure vulnerability within the installation logging mechanism. When users execute the installer for Stormshield SSO Agent, the system generates log files that contain unencrypted user passwords and pre-shared keys in their raw form. This represents a direct violation of security best practices and creates an immediate risk for credential compromise. The vulnerability operates at the application level and affects the integrity of the authentication infrastructure by exposing sensitive information through log file artifacts that are typically accessible to system administrators and attackers with file system access.
The operational impact of this vulnerability extends beyond the immediate installation process, creating persistent security risks for organizations utilizing Stormshield SSO solutions. Attackers who gain access to the system through other vectors can exploit this flaw to obtain valid user credentials and authentication keys, potentially enabling lateral movement within the network and unauthorized access to protected resources. The exposure of pre-shared keys specifically undermines the security of encrypted communications and authentication protocols that rely on these shared secrets for validation. This vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and represents a significant weakness in the principle of least privilege and secure credential handling.
Organizations affected by this vulnerability face substantial risk mitigation challenges as the exposed credentials can be leveraged for persistent access to network resources. The attack surface expands significantly when considering that log files may be stored on multiple systems or accessible through backup mechanisms, creating additional exposure points. Security practitioners should implement immediate monitoring for the presence of these log files and establish procedures for credential rotation and system hardening. The vulnerability also demonstrates weaknesses in the software development lifecycle regarding secure coding practices and the importance of proper input sanitization and output handling in installer components.
Mitigation strategies for CVE-2022-22703 require both immediate and long-term approaches to address the credential exposure risk. Organizations must update to Stormshield SSO Agent versions 2.1.1 or 3.0.2 where the vulnerability has been patched, while simultaneously implementing log file monitoring and access controls to prevent unauthorized access to sensitive installation artifacts. System administrators should conduct comprehensive audits of existing log files to identify and remove any exposed credentials, while establishing secure log management practices that prevent future occurrences. The remediation process should include credential revocation and reissuance for any accounts that may have been compromised through the exposure of authentication data. This vulnerability highlights the necessity of implementing secure logging practices and adheres to ATT&CK technique T1566 (Phishing) and T1552 (Unsecured Credentials) in the context of credential exposure through software installation artifacts.