Websense Information Disclosure Vulnerability

websense-tritonSynopsis: Triton Unified Security Center 7.7.x is susceptible to an Information Disclosure Vulnerability.

It appears that Websense Triton Unified Security Center does not encrypt credentials stored within the appliance.

Details: When logged into the Websense Triton Unified Security Center with any permission level, it is possible to navigate to the “Log Database” or “User Directories” portions of the “Settings” module.  In either section, it is possible to use Google Chrome, Microsoft Internet Explorer, Apple Safari or Mozilla Firefox to “Inspect Elements” within the page.

Password blocks are initially hashed within the page using the following form variable:

<input type=”password” id=”logDatabaseSettings:password” name =”logDatabaseSettings:password” maxlength=”50″ size=”21″>

However, due to issues within the form construction and hashing of password credentials, it is possible to change the string to the following and reload the page:

<input type=”text” id=”logDatabaseSettings:password” name =”logDatabaseSettings:password” maxlength=”50″ size=”21″>

The password credentials are presented in plain-text, along with the associated username.

Criticality: Websense Triton Unified Security Center requires elevated privileges to connect and authenticate users against Microsoft Active Directory.  This is typically an “administration” level account.  As the Websense Triton Unified Security Center is facilitated by users with varying levels of domain permissions, it is possible for a typical user to gain Domain Administrator-Level permissions on the domain.  As no additional tools are needed to gain this information such as Metasploit,  Nessus, CORE Impact or similar, it is unlikely that any Intrusion Detection Tools would create an alarm. 

Recommendations:  We were unable to replicate the vulnerability in Websense 7.8.x.  Though a very recent release, we recommend that administrators upgrade as quickly as possible.  You can also apply the available hotfix to your existing environment.

It is recommended that you coordinate with Websense on the download and proper installation of the hotfix.  The official hotfix can be downloaded from the following address.

https://www.websense.com/content/mywebsense-hotfixes.aspx?patchid=894&prodidx=20&osidx=0&intidx=0&versionidx=0

Discussion:  Hyperion Avenue Lab’s, Patrick Kelley, voluntarily contacted the vendor with proof of concept, exploit behavior and suggestions for repair on January 20th, 2014.  He then proceeded to provide additional information throughout the following months to their security team upon their request.  On March 21th, 2014, Websense provided the following official hotfix to address the flaw.

Technical Details:
Web Security Gateway Anywhere v7.7.3
Web Security Gateway v7.7.3
Websense Web Security v7.7.3
Websense Web Filter v7.7.3
Windows and Websense V-Series appliances

Release Notes for Hotfix 31: Password Vulnerability
Hidden password fields were able to be revealed by editing the HTML using the browser element inspector

Also rolls up Hotfixes 29, 26, 24, 20, 17, 14, 13, 12, 09, 07, 06, and 02

Please note that Hotfix 07 has two parts: It applies to the manager and also to Investigative Reports.

Hotfix 07 is a critical vulnerability hotfix.