CVE-2022-29550 in Cloud Agent
Summary
by MITRE • 08/18/2022
** DISPUTED ** An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes "ps auxwwe" output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qualys-cloud-agent-scan.log can be read by a user other than root; however, the file contents could be exposed through site-specific operational practices. The vendor does NOT characterize this as a vulnerability because the ps data collection is intentional, and would only capture credentials on a machine that was already affected by the CWE-214 weakness.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/03/2024
The vulnerability identified as CVE-2022-29550 relates to the Qualys Cloud Agent version 4.8.0-49 where the application executes the command "ps auxwwe" and logs its output to a designated log file located at /var/log/qualys/qualys-cloud-agent-scan.log. This particular logging mechanism presents a potential security concern because the ps command, when executed with these specific flags, captures detailed process information including environment variables that may contain sensitive credentials. The logging process occurs without any sanitization or filtering of the captured data, which means that any credentials present in environment variables of running processes could be inadvertently written to disk in plaintext format. This behavior represents a significant risk when processes are launched with sensitive authentication tokens, API keys, or passwords stored as environment variables, as these values become permanently stored in the log file without any encryption or obfuscation.
The technical flaw manifests through the improper handling of process information within a security monitoring tool. The ps auxwwe command specifically captures all processes running on the system including their full command lines and environment variables, which can contain sensitive data. This logging mechanism operates under the assumption that the logging process is intentional and necessary for system monitoring purposes, but fails to account for the potential exposure of sensitive information. The vulnerability is categorized under CWE-214, which addresses the issue of information exposure through process monitoring, where sensitive data is inadvertently collected and stored in accessible locations. The vendor's position that this is not a vulnerability stems from their assertion that the logging is an intended feature and that the exposure only occurs on systems already compromised by the underlying CWE-214 weakness, suggesting that the presence of credentials in environment variables indicates a pre-existing security misconfiguration.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates a persistent attack surface through the log file that may contain authentication credentials and other sensitive operational data. While the vendor claims that the log file is typically only accessible to root users and cannot be read by regular users, this security model relies on proper file system permissions and operational practices. In environments where security practices are not strictly enforced or where additional users have access to system resources, the log file could be accessed by unauthorized individuals. The potential for credential exposure exists particularly in containerized environments, virtualized systems, or shared hosting scenarios where multiple users or processes may have access to the file system. This situation violates fundamental security principles of least privilege and data protection, as sensitive information is stored in plain text format without any access controls or encryption mechanisms.
The recommended mitigations for this vulnerability should focus on implementing proper data sanitization and access control measures. Organizations should consider configuring the Qualys Cloud Agent to exclude sensitive environment variable data from logging processes or implement log filtering mechanisms that remove or obfuscate credential information before writing to disk. The implementation should follow security best practices as outlined in the ATT&CK framework, particularly in the credential access and defense evasion domains, where protecting sensitive information from exposure is crucial. System administrators should also implement regular log file access reviews and ensure that proper file permissions are maintained to prevent unauthorized access. Additionally, organizations should consider implementing centralized log management solutions with proper encryption and access controls, and should conduct regular security assessments to identify and remediate similar information exposure vulnerabilities in other system monitoring tools. The vulnerability highlights the importance of secure coding practices and the need for security-conscious design in system monitoring tools to prevent accidental exposure of sensitive operational data.