EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)
Request Type
Bug
Work Environment
Question
Answer
OS version (server)
RHEL7
OS version (client)
Win10
Cortex version / git hash
3.1.7-1
Package Type
Docker
Browser type & version
Problem Description
Sensitive data (private key and passwords in the configurations) are stored in an unencrypted manner on the Cortex component after being entered in a responder's configuration. Therefore, an attacker gaining access to this component can obtain all the secrets stored there. These passwords are only accessible to users with administrative rights, so the impact is limited.
Steps to Reproduce
Log in with administrator account
Make request to : /api/responder?range=all&sort=%2Bname
You can see plaintext password frm responders configuration
EDIT THIS TITLE BEFORE POSTING. Use this template for bug reports. If you'd like to request a feature, please be as descriptive as possible and delete the template except the first section (Request Type)
Request Type
Bug
Work Environment
Problem Description
Sensitive data (private key and passwords in the configurations) are stored in an unencrypted manner on the Cortex component after being entered in a responder's configuration. Therefore, an attacker gaining access to this component can obtain all the secrets stored there. These passwords are only accessible to users with administrative rights, so the impact is limited.
Steps to Reproduce
Possible Solutions
Can you hash passwords before storing ?
Complementary information