Closed evildaemond closed 1 month ago
Adding VRT Priorities below, please note, most are marked as Varies, as they are heavily context dependent for the target, the environmental context, and the access requirements.
Template Drafted | Priority | VRT Category | Specific vulnerability names | Variant / Affected function | CVSS String |
---|---|---|---|---|---|
X | Varies | Physical Security issues | Bypass of physical access control | AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | |
X | Varies | Physical Security issues | Weakness in physical access control | Cloneable Key | AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
X | Varies | Physical Security issues | Weakness in physical access control | Master Key Identification | AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
X | P2 | Physical Security issues | Weakness in physical access control | Commonly Keyed System | AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
X | Varies | Insecure OS/Firmware | Weakness in Firmware Updates | Firmware cannot be updated | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
X | P3 | Insecure OS/Firmware | Weakness in Firmware Updates | Firmware does not validate update integrity | AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
X | P5 | Insecure OS/Firmware | Weakness in Firmware Updates | Firmware is not encrypted | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
X | Varies | Insecure OS/Firmware | Kiosk Escape or Breakout | AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | |
X | Varies | Insecure OS/Firmware | Poorly Configured Disk Encryption | AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | |
X | P3 | Insecure OS/Firmware | Shared Credentials on Storage | AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | |
X | P2 | Insecure OS/Firmware | Over-Permissioned Credentials on Storage | AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | |
X | P2 | Insecure OS/Firmware | Local Administrator on default environment | AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | |
X | Varies | Insecure OS/Firmware | Poorly Configured Operating System Security | AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L | |
X | Varies | Insecure OS/Firmware | Recovery of Disk Contains Sensitive Material | AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | |
X | Varies | Insecure OS/Firmware | Failure to Remove Sensitive Artifacts from Disk | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
X | Varies | Insecure OS/Firmware | Data not encrypted at rest | sensitive | AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
X | P5 | Insecure OS/Firmware | Data not encrypted at rest | non sensitive | AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
Adding CVSS data and remediation advice.
{
"id": "physical_security_issues",
"children": [
{
"id": "weakness_in_physical_access_control",
"children": [
{
"id": "cloneable_key",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
},
{
"id": "commonly_keyed_system",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
},
{
"id": "master_key_identification",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
}
],
"id": "bypass_of_physical_access_control",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
}
]
},
}
"id": "insecure_os_firmware",
"children": [
{
"id": "command_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "data_not_encrypted_at_rest",
"children": [
{
"id": "non_sensitive",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
"id": "sensitive",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
]
}
{
"id": "failure_to_remove_sensitive_artifacts_from_disk",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
"id": "hardcoded_password",
"children": [
{
"id": "non_privileged_user",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
"id": "privileged_user",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
}
{
"id": "kiosk_escape",
"cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
},
{
"id": "local_administrator_on_default_environment",
"cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
"id": "overpermissioned_credentials_on_storage",
"cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "poorly_configured_disk_encryption",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"id": "poorly_configured_operating_system_security",
"cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L"
},
{
"id": "recovery_of_disk_contains_sensitive_material",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"id": "shared_credentials_on_storage",
"cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
"id": "weakness_in_firmware_updates",
"children": [
{
"id": "firmware_cannot_be_updated",
"cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
},
{
"id": "firmware_does_not_validate_update_integrity",
"cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
}
{
"id": "firmware_is_not_encrypted",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
}
]
}
}
{
"id": "physical_security_issues",
"children": [
{
"id": "weakness_in_physical_access_control",
"children": [
{
"id": "cloneable_key",
"remediation_advice": "The 2 most effective are interative locking elements (which can be defeated still by a skilled attacker) or usage of digital key systems such as Assa eCLIQ or Pulse"
},
{
"id": "commonly_keyed_system",
"remediation_advice": "Unique keys should be used on any system which intends to be secure, otherwise if keyed to a common key system, the risk needs to be accepted that the key could be obtained if the lock doesn't secure a secure component."
},
{
"id": "master_key_identification",
"remediation_advice": "While physical lock systems require the key material to be inside the lock, electonic access control systems can use cryptographicly strong key mechanisms which prevent the key material from being accessable on the device"
}
],
"id": "bypass_of_physical_access_control",
"remediation_advice": ""
}
]
},
}
"id": "insecure_os_firmware",
"children": [
{
"id": "command_injection",
"remediation_advice": "1. Avoid using shell execution functions. If unavoidable, limit their use to very specific use cases.\n2. Perform proper input validation when taking user input into a shell execution command.\n3. Use a safe API when accepting user input into the application.\n4. Escape special characters in the case where a safe API is not available.",
"references": [
"https://www.owasp.org/index.php/Top_10-2017_A1-Injection",
"https://www.owasp.org/index.php/Command_Injection",
"http://projects.webappsec.org/OS-Commanding",
"https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet",
"https://www.cvedetails.com/vulnerability-list/opec-1/execute-code.html"
]
},
{
"id": "data_not_encrypted_at_rest",
"children": [
{
"id": "non_sensitive",
"remediation_advice": "Data within the device should be encrypted at rest, preventing the data from being viewable by a 3rd party attacker."
},
{
"id": "sensitive",
"remediation_advice": "Data within the device should be encrypted at rest, preventing the data from being viewable by a 3rd party attacker."
}
]
}
{
"id": "failure_to_remove_sensitive_artifacts_from_disk",
"remediation_advice": "Implement robust deletion functions which not only reference to the data, but write over the existing data to prevent digital forensic methods of recovery"
},
{
"id": "hardcoded_password",
"remediation_advice": "1. Never use a hardcoded password within the source code. Many times, the application can be disassembled or decompiled after it has been compiled. This will likely reveal the hardcoded password string to an attacker.\n2. Never use a password string. Instead, use a random salt per user with the password string and run it through a cryptographically strong hashing algorithm.\n3. Store the salt and the hashed password server-side and do the check there. Never check the password on the client side.",
"references": [
"https://www.owasp.org/index.php/Password_Management:_Hardcoded_Password",
"https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Password_Storage_Cheat_Sheet.md"
]
}
{
"id": "kiosk_escape",
"remediation_advice": "1. Implement vigirous QA testing of applications prior to deployment\n2. Implement robust error logging and catching within the application to prevent crashes\n3. Initiate application restarts in the event of a application crash.\n4. Use Lower Privleged accounts with minimal permissions to lower the impact of a potential kiosk escape"
},
{
"id": "local_administrator_on_default_environment",
"remediation_advice": "The usage of Local Administrator accounts on a device is usually not nessicary for the operation, especially with embedded hardware and kiosks. Use of Lower Privleged accounts with minimal permissions and Jails lowers the impact if access by an attacker is acheved."
},
{
"id": "overpermissioned_credentials_on_storage",
"remediation_advice": "When provisioning credentials, strict scoping of the credentials to the resources required to operate reduce the impact of an exposure of those credentials."
},
{
"id": "poorly_configured_disk_encryption",
"remediation_advice": "1. Use of standard cryptographic libraries reduces the likelyhood of implementation vulnerabilities\n2. Verify your bootloader and encryption systems are up to date to avoid public exploits."
},
{
"id": "poorly_configured_operating_system_security",
"remediation_advice": "Following standards such as the NIST or ASD hardening guide allows you to identify known configuration issues and apply configuration changes to prevent this from being exploited further."
},
{
"id": "recovery_of_disk_contains_sensitive_material",
"remediation_advice": "Implement robust deletion functions which not only reference to the data, but write over the existing data to prevent digital forensic methods of recovery."
},
{
"id": "shared_credentials_on_storage",
"remediation_advice": "Credentials for shared services should be avoided where possible, they allow for a single breach to be escalated to effect an entire organisation. When provisioning a service credential, they should be unique per device and strict scoped to the resources required to operate, to reduce the impact of an exposure of those credentials"
},
{
"id": "weakness_in_firmware_updates",
"children": [
{
"id": "firmware_cannot_be_updated",
"remediation_advice": "Implement the ability for the firmware to be upgraded on a device, including an automatic update policy, which will allow for the patch of future security issues on the device."
},
{
"id": "firmware_does_not_validate_update_integrity",
"remediation_advice": "Implementation of firmware integrity checking using cryptographic signitures of a certificate is considered best practice, allowing the integrity of the firmware updates to be validated by the device prior to patching."
}
{
"id": "firmware_is_not_encrypted",
"remediation_advice": "Implementation of encryption for firmware updates allows for the update data to be protected during transit, and increases the time taken to reverse engineer the firmware used, and future security patches."
}
]
}
]
}
}
OMG wow this is a lot of information for me to understand out once if there is any way I can be contacted virtually or by phone to help me understand all of this because I am a person with disabilities and wow this is a lot of information and I am having a hard time understanding it all please contact me during the day at this time I am falling asleep due to vacation at 1:30 in the morning
On Fri, Mar 15, 2024, 1:04 AM Adam Jon Foster @.***> wrote:
Adding CVSS data and remediation advice. CVSS
{ "id": "physical_security_issues", "children": [ { "id": "weakness_in_physical_access_control", "children": [ { "id": "cloneable_key", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "id": "commonly_keyed_system", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "id": "master_key_identification", "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L" } ], "id": "bypass_of_physical_access_control", "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L" } ] },
} "id": "insecure_os_firmware", "children": [ { "id": "command_injection", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "id": "data_not_encrypted_at_rest", "children": [ { "id": "non_sensitive", "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "id": "sensitive", "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] } { "id": "failure_to_remove_sensitive_artifacts_from_disk", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "id": "hardcoded_password", "children": [ { "id": "non_privileged_user", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "id": "privileged_user", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] } { "id": "kiosk_escape", "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "id": "local_administrator_on_default_environment", "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "id": "overpermissioned_credentials_on_storage", "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "id": "poorly_configured_disk_encryption", "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "id": "poorly_configured_operating_system_security", "cvss_v3": "AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" }, { "id": "recovery_of_disk_contains_sensitive_material", "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "id": "shared_credentials_on_storage", "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "id": "weakness_in_firmware_updates", "children": [ { "id": "firmware_cannot_be_updated", "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" }, { "id": "firmware_does_not_validate_update_integrity", "cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H" } { "id": "firmware_is_not_encrypted", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }
] }
}
Remediation { "id": "physical_security_issues", "children": [ { "id": "weakness_in_physical_access_control", "children": [ { "id": "cloneable_key", "remediation_advice": "The 2 most effective are interative locking elements (which can be defeated still by a skilled attacker) or usage of digital key systems such as Assa eCLIQ or Pulse" }, { "id": "commonly_keyed_system", "remediation_advice": "Unique keys should be used on any system which intends to be secure, otherwise if keyed to a common key system, the risk needs to be accepted that the key could be obtained if the lock doesn't secure a secure component." }, { "id": "master_key_identification", "remediation_advice": "While physical lock systems require the key material to be inside the lock, electonic access control systems can use cryptographicly strong key mechanisms which prevent the key material from being accessable on the device" } ], "id": "bypass_of_physical_access_control", "remediation_advice": "" } ] },
} "id": "insecure_os_firmware", "children": [ { "id": "command_injection", "remediation_advice": "1. Avoid using shell execution functions. If unavoidable, limit their use to very specific use cases.\n2. Perform proper input validation when taking user input into a shell execution command.\n3. Use a safe API when accepting user input into the application.\n4. Escape special characters in the case where a safe API is not available.", "references": [ "https://www.owasp.org/index.php/Top_10-2017_A1-Injection", "https://www.owasp.org/index.php/Command_Injection", "http://projects.webappsec.org/OS-Commanding", "https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet", "https://www.cvedetails.com/vulnerability-list/opec-1/execute-code.html" ] }, { "id": "data_not_encrypted_at_rest", "children": [ { "id": "non_sensitive", "remediation_advice": "Data within the device should be encrypted at rest, preventing the data from being viewable by a 3rd party attacker." }, { "id": "sensitive", "remediation_advice": "Data within the device should be encrypted at rest, preventing the data from being viewable by a 3rd party attacker." } ] } { "id": "failure_to_remove_sensitive_artifacts_from_disk", "remediation_advice": "Implement robust deletion functions which not only reference to the data, but write over the existing data to prevent digital forensic methods of recovery" }, { "id": "hardcoded_password", "remediation_advice": "1. Never use a hardcoded password within the source code. Many times, the application can be disassembled or decompiled after it has been compiled. This will likely reveal the hardcoded password string to an attacker.\n2. Never use a password string. Instead, use a random salt per user with the password string and run it through a cryptographically strong hashing algorithm.\n3. Store the salt and the hashed password server-side and do the check there. Never check the password on the client side.", "references": [ "https://www.owasp.org/index.php/Password_Management:_Hardcoded_Password", "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Password_Storage_Cheat_Sheet.md" ] } { "id": "kiosk_escape", "remediation_advice": "1. Implement vigirous QA testing of applications prior to deployment\n2. Implement robust error logging and catching within the application to prevent crashes\n3. Initiate application restarts in the event of a application crash.\n4. Use Lower Privleged accounts with minimal permissions to lower the impact of a potential kiosk escape" }, { "id": "local_administrator_on_default_environment", "remediation_advice": "The usage of Local Administrator accounts on a device is usually not nessicary for the operation, especially with embedded hardware and kiosks. Use of Lower Privleged accounts with minimal permissions and Jails lowers the impact if access by an attacker is acheved." }, { "id": "overpermissioned_credentials_on_storage", "remediation_advice": "When provisioning credentials, strict scoping of the credentials to the resources required to operate reduce the impact of an exposure of those credentials." }, { "id": "poorly_configured_disk_encryption", "remediation_advice": "1. Use of standard cryptographic libraries reduces the likelyhood of implementation vulnerabilities\n2. Verify your bootloader and encryption systems are up to date to avoid public exploits." }, { "id": "poorly_configured_operating_system_security", "remediation_advice": "Following standards such as the NIST or ASD hardening guide allows you to identify known configuration issues and apply configuration changes to prevent this from being exploited further." }, { "id": "recovery_of_disk_contains_sensitive_material", "remediation_advice": "Implement robust deletion functions which not only reference to the data, but write over the existing data to prevent digital forensic methods of recovery." }, { "id": "shared_credentials_on_storage", "remediation_advice": "Credentials for shared services should be avoided where possible, they allow for a single breach to be escalated to effect an entire organisation. When provisioning a service credential, they should be unique per device and strict scoped to the resources required to operate, to reduce the impact of an exposure of those credentials" }, { "id": "weakness_in_firmware_updates", "children": [ { "id": "firmware_cannot_be_updated", "remediation_advice": "Implement the ability for the firmware to be upgraded on a device, including an automatic update policy, which will allow for the patch of future security issues on the device." }, { "id": "firmware_does_not_validate_update_integrity", "remediation_advice": "Implementation of firmware integrity checking using cryptographic signitures of a certificate is considered best practice, allowing the integrity of the firmware updates to be validated by the device prior to patching." } { "id": "firmware_is_not_encrypted", "remediation_advice": "Implementation of encryption for firmware updates allows for the update data to be protected during transit, and increases the time taken to reverse engineer the firmware used, and future security patches." } ] }
] }
}
— Reply to this email directly, view it on GitHub https://github.com/bugcrowd/vulnerability-rating-taxonomy/issues/408#issuecomment-1998999697, or unsubscribe https://github.com/notifications/unsubscribe-auth/BEGMDPCYO4RG5HMOIWSE7BTYYKFPJAVCNFSM6AAAAABERWZODOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJYHE4TSNRZG4 . You are receiving this because you are subscribed to this thread.Message ID: @.*** com>
Hey @1keep2keepFaith,
Regarding the changes, this should break it down for you, happy to answer any questions if you need.
Addition of Physical Security issues
VRT Category
Addition of Bypass of physical access control
and Weakness in physical access control
as Specific vulnerability name under Physical Security issues
Addition of Cloneable Key
, Master Key Identification
and Commonly Keyed System
as Variant / Affected functions of Physical Security issues.Weakness in physical access
Addition of Weakness in Firmware Updates
, Persistent Memory
, Kiosk Escape or Breakout
, Poorly Configured Disk Encryption
, Shared Credentials on Storage
, Over-Permissioned Credentials on Storage
, Local Administrator on default environment
, Poorly Configured Operating System Security
, Recovery of Disk Contains Sensitive Material
, Failure to Remove Sensitive Artifacts from Disk
and Data not encrypted at rest
as Specific vulnerability names under Insecure OS/Firmware
Addition of Firmware cannot be updated
, Firmware upgrades are not signed
, Firmware does not validate update integrity
and Firmware is not encrypted
as Variant / Affected functions of Insecure OS/Firmware.Weakness in Firmware Updates
Addition of sensitive
and non sensitive
as Variant / Affected functions of Insecure OS/Firmware.Data not encrypted at rest
Removal of Insecure Data Storage > Sensitive Application Data Stored Unencrypted > On Internal Storage
and Insecure Data Storage > Non-Sensitive Application Data Stored Unencrypted
No Changes to Insecure OS/Firmware > Command Injection
, Insecure OS/Firmware > Hardcoded Password > Privileged User
, and Insecure OS/Firmware > Hardcoded Password > Non-Privileged User
Associated Templates have been added to the bugcrowd/templates project, listing below
Additional Insecure OS/Firmware PR Physical Access Control PR
Description
The Bugcrowd VRT holds a lot of information regarding Web application and Car hacking related issues, however not a lot regarding physical hardware, which has become a popular topic for our incoming bashes and clients. We've identified a few holes within the existing VRT to fill in, and we're looking for responses prior to merging it into the primary repo.
Changes
Removals from Existing VRT
Insecure Data Storage Sensitive Application Data Stored Unencrypted On Internal Storage Insecure Data Storage Non-Sensitive Application Data Stored Unencrypted
Addition to the VRT
Physical Security issues Physical Security issues.Bypass of physical access control Physical Security issues.Weakness in physical access control Physical Security issues.Weakness in physical access control.Cloneable Key Physical Security issues.Weakness in physical access control.Master Key Identification Physical Security issues.Weakness in physical access control.Commonly Keyed System
Insecure OS/Firmware.Weakness in Firmware Updates.Firmware cannot be updated Insecure OS/Firmware.Weakness in Firmware Updates.Firmware does not validate updates integrity Insecure OS/Firmware.Weakness in Firmware Updates.Firmware is not encrypted Insecure OS/Firmware.Hardcoded Password.Privileged User Insecure OS/Firmware.Hardcoded Password.Non-Privileged User Insecure OS/Firmware.Command Injection Insecure OS/Firmware.Kiosk Escape or Breakout Insecure OS/Firmware.Poorly Configured Disk Encryption Insecure OS/Firmware.Shared Credentials on Storage Insecure OS/Firmware.Over-Permissioned Credentials on Storage Insecure OS/Firmware.Local Administrator on default environment Insecure OS/Firmware.Poorly Configured Operating System Security Insecure OS/Firmware.Recovery of Disk Contains Sensitive Material Insecure OS/Firmware.Failure to Remove Sensitive Artefacts from Disk Insecure OS/Firmware.Data not encrypted at rest.sensitive Insecure OS/Firmware.Data not encrypted at rest.non sensitive
Notes
Please note, we have not assigned priorities as of yet for these issues, however these will be added to this issue soon.