This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fredrik_Holmber
Participant
‎2018-09-07 06:26 AM

R80 automation - run-script potential leakage of credentials

Hi,

After messing with the run-script API call for automating several things on R80, I noticed that it does not filter/mask user credentials and other sensitive data sent to it. Everything gets stored in the Recent Tasks log (bottom left corner).

Here's an example from provisioning a VS using vsx_provisioning_tool:

Had to switch to local authentication (-L) to prohibit the user credentials from being exposed and stored.

Anyway, I think this should be handled by run-script itself, possibly the Check Point GUI, especially when executing obvious Check Point internal tools. Could be some regex foo or something, replacing the output with "-p xxxxxxx" instead.

Have a nice weekend!

 - Fredrik

2 Replies
PhoneBoy
Admin
Admin
‎2018-09-09 12:59 AM

I can see that being a potentially useful addition.

Perhaps something to be considered for a later release.

Uri_Bialik
Mod
Mod
‎2018-10-18 01:57 AM

Thank you for bringing this to our attention!

We had several RnD meetings to discuss this issue and we're considering changing the run-script command so that sensitive data will not be leaked by mistake.

In the meanwhile, you'll be glad to know that there is a way to avoid this issue today (no API change is required):

* The run-script API has an "args" parameter.

* The data in the "args" parameter is passed to the script however the data in the "args" parameter does not appear in the audit logs.

For example:

"mgmt_cli run-script script-name 'sample1' script 'my_script.sh -p $1' args 'my secret password' targets r80_20_ga -r true"

The audit log for the above script would show "my_script.sh -p $1" and will not include the secret password.

We'll update the run-script API documentation to bring it to the attention of other users.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events