A8 Security Advisory 20210713-1
Authentic8 Security Advisory
Security Misconfiguration on Silo Windows Client versions 2.9.13 and 2.9.14
Associated CVE IDs
This advisory discloses two (2) identified security misconfigurations that affect versions 2.9.13 and 2.9.14 of the Silo Windows Client. Both misconfigurations pertain to server certificate validation. For enterprise deployments where administrators wish to maintain control of the application settings, existing configurations that leverage “certificate pinning” are vulnerable to a low severity misconfiguration that could allow a local user with control of the endpoint to disable server certificate validation. For Windows Client applications configured to permit TLS “break-and-inspect” (default application behavior in the affected versions associated with this advisory), these systems are vulnerable to a medium severity misconfiguration that could potentially allow for a man-in-the-middle (MITM) attack.
Note: This does NOT affect the Silo web client (e.g., https://a8silo.com).
The following versions of the Silo Windows Client (installed application) are affected:
This issue is fixed in Windows Client version 2.9.16 and newer, and this misconfiguration is not applicable to versions 2.9.12 and earlier.
- Affected customers are strongly encouraged to upgrade their Windows Client to the newest available version via https://www.authentic8.com/download/windows/ and to validate the authenticity of their downloaded client by comparing with the applicable hash listed at https://www.authentic8.com/app-signatures/.
- Enable server certificate validation (see the Enabling Server Certificate Validation support article).
- (TLS Inspection Configuration Only) For customers who wish to securely perform TLS break-and-inspect, update the a8-all-certs.crt certificate file according to the Updating the Windows Client Certificate to Enable TLS Inspection support article.
Note: To ensure administrator-set configurations cannot be changed by the local user, the client must be installed using the “Install for all users of this machine” option. If deploying the client application in accordance with the enterprise deployment support article, this step is already included.
Common Vulnerability Scoring System
Server Certificate Validation Configuration (“cert pinning”)
CVSS v3 Rating: Low
CVSS v3 Score: 3.9
TLS Inspection Configuration (default)
CVSS v3 Rating: Medium
CVSS v3 Score: 4.8
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in this advisory or materials linked herein is at your own risk. Authentic8 reserves the right to change or update this advisory at any time and expects to update it as new information becomes available.
For users of the affected Silo Windows Client application, the security misconfiguration will remain until all recommended steps are completed.
Please contact Support if you have any additional questions and/or require further information.