[CVE-2019-12373] LANDesk Management Server - Administrator Password Disclosure

Improper access control and open directories in LDMS 10.0.1.168 Service Update 5 may lead to disclosure of administrator passwords

May 25, 2019

During an imaging task, the LANDesk provisioning subsystem creates a copy of each injected file in the globally readable network share \\<coreserver>\ldlogon\provisioning\config. This share is created during the LANDesk Management Core Server installation process, and the installer automatically sets the permissions such that "Everyone" can read from this directory.

Once the imaging task is finished, the file copies are usually removed. However, if an imaging task fails, the files are stored in the aforementioned network share in perpetuity.

If an unattend.xml file is injected during the provisioning task, an unsanitized version of that file is stored in the globally readable network share with inherited permissions. As such, it is possible for anyone with a domain user account (or access to a an account within a federated domain) to read the contents of the file stored in ldlogon\provisioning\config. They can then decode the base64 string stored within and retrieve the administrator account password.

While the "Everyone" permission can (and should) be removed from this directory, there is no way to completely lock down this directory. This is because the directory can also be viewed through a web service available at https://<coreserver>/ldlogon/provisioning/config. More information on this can be found here: LANDesk Management Server - Open Directories.

In this case, the web service is require so that devices running a provisioning task can retrieve the files they are to inject, and is a good example of (CWE-213) Intentional Information Disclosure.

The vendor has been notified of this issue, and has confirmed that LDMS version 10.0.1.168 SU 5 is no longer supported. Thus, this vulnerability will not be patched.

Return to blog