Sensitive information in agent log file when detailed logging is enabled with Robot Schedule Enterprise prior to version 3.05

FI-2024-012 - Sensitive information in agent log file when detailed logging is enabled with Robot Schedule Enterprise prior to version 3.05

Severity
Medium
Published Date
09-Oct-2024
Updated Date
09-Oct-2024
Vulnerabilities
CVE-2024-8264
 
Notes
Description

Fortra's Robot Schedule Enterprise Agent prior to version 3.05 writes FTP username and password information to the agent log file when detailed logging is enabled. The agent log information is accessible via the following ways:

  • While the agent job is running, the agent log is readable by any user on the windows agent system. Once the agent job is done, the log file is removed.

  • After the agent is done, the log is accessible as a spooled file on the IBM i. Any user on the IBM i with access to the spool file can access the agent log.

  • In addition, the agent log is also written to a physical file on the IBM i. This file (as well as a related logical file) has *PUBLIC *USE authority in a library that defaults to *PUBLIC *USE, meaning any IBM i profile on the system can access this log.

  • The agent log can be retrieved via the Robot Schedule GUI. If the user has configured Robot Schedule's security, the user must also have access to job completion history to access the agent log through the GUI.

NOTE: If detailed logging is NOT enabled users do not have exposure to this vulnerability.

 

Vulnerabilities

 
Fortra's Robot Schedule Enterprise Agent prior to version 3.05 writes FTP username and password information to the agent log file when detailed logging is enabled
Severity
Medium
CVE
CVE-2024-8264
CWE
CWE-532:Insertion of Sensitive Information into Log File
Discovery Date
17-Nov-2023
CSSv3.1
5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products
Vulnerability Notes
Remediation: Vendor Fix

Upgrade to Robot Schedule Enterprise 3.05 and remove any sensitive log files on the system including spooled files from FTP sessions.

Alternatively, disable detailed logging for FTP and remove any sensitive log files, including spooled files from FTP sessions. After upgrading to Robot Schedule Enterprise 3.05, detailed logging for FTP can be re-enabled as the username and password will no longer be written to the agent log.

 
References
 

References

 
Stay Current, Stay Safe

Get Fortra product security advisories delivered to your inbox.