A8 Security Advisory 20210713-1


Authentic8 Security Advisory

Security Misconfiguration on Silo Windows Client versions 2.9.13 and 2.9.14

Associated CVE IDs

None

Description

This advisory discloses two (2) identified security misconfigurations that affect versions 2.9.13 and 2.9.14 of the Silo Windows Client. Both misconfigurations pertain to server certificate validation. For enterprise deployments where administrators wish to maintain control of the application settings, existing configurations that leverage “certificate pinning” are vulnerable to a low severity misconfiguration that could allow a local user with control of the endpoint to disable server certificate validation. For Windows Client applications configured to permit TLS “break-and-inspect” (default application behavior in the affected versions associated with this advisory), these systems are vulnerable to a medium severity misconfiguration that could potentially allow for a man-in-the-middle (MITM) attack. 


Note: This does NOT affect the Silo web client (e.g., https://a8silo.com).


The  following versions of the Silo Windows Client (installed application) are affected:


Version

File Name

Signature

Windows 2.9.13

authentic8-win-2.9.13-76-g94afd13-release-prod.exe

c42d9a5e823a219489aa6f0f360c4412 (MD5)

a396ffb45f3298dfdb8067496b3b5e0d81ecb8aa (SHA1)

Windows 2.9.14

authentic8-win-2.9.14-62-g28b9749-release-prod.exe

32b2eb8f05c375a8dd4be55d3b933fa8 (MD5)

93fc86baa4d0bbe21faf99c548836db4b958e772 (SHA1)

1cd9bd3471c286c181944dcc6412db047b24b7f0e13286bff8d1054b10cc24fd (SHA256)

 

Solution

This issue is fixed in Windows Client version 2.9.16 and newer, and this misconfiguration is not applicable to versions 2.9.12 and earlier.

  1. Affected customers are strongly encouraged to upgrade their Windows Client to the newest available version via https://www.authentic8.com/download/windows/ and to validate the authenticity of their downloaded client by comparing with the applicable hash listed at https://www.authentic8.com/app-signatures/.
  2. Enable server certificate validation (see the Enabling Server Certificate Validation support article).
  3. (TLS Inspection Configuration Only) For customers who wish to securely perform TLS break-and-inspect, update the a8-all-certs.crt certificate file according to the Updating the Windows Client Certificate to Enable TLS Inspection support article.


Note: To ensure administrator-set configurations cannot be changed by the local user, the client must be installed using the “Install for all users of this machine” option. If deploying the client application in accordance with the enterprise deployment support article, this step is already included.

 

Common Vulnerability Scoring System

Server Certificate Validation Configuration (“cert pinning”)

CVSS v3 Rating:  Low

CVSS v3 Score:   3.9

Vector:                CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

TLS Inspection Configuration (default)

CVSS v3 Rating:  Medium

CVSS v3 Score:   4.8

Vector:                CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

 

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in this advisory or materials linked herein is at your own risk. Authentic8 reserves the right to change or update this advisory at any time and expects to update it as new information becomes available.

For users of the affected Silo Windows Client application, the security misconfiguration will remain until all recommended steps are completed.


             

Additional Notes  

Please contact Support if you have any additional questions and/or require further information.