Hard-coded password in FileCatalyst Direct 3.8.10 Build 138 TransferAgent (and earlier) and FileCatalyst Workflow 5.1.6 Build 130 (and earlier)

FI-2024-007 - Hard-coded password in FileCatalyst Direct 3.8.10 Build 138 TransferAgent (and earlier) and FileCatalyst Workflow 5.1.6 Build 130 (and earlier)

Severity
High
Published Date
18-Jun-2024
Updated Date
18-Jun-2024
Vulnerabilities
CVE-2024-5275
 
Notes
Description

A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack against users of the agent. This issue affects all versions of FileCatalyst Direct from 3.8.10 Build 138 and earlier and all versions of FileCatalyst Workflow from 5.1.6 Build 130 and earlier.

 

Vulnerabilities

 
Hard-coded password in FileCatalyst Direct 3.8.10 Build 138 TransferAgent (and earlier) and FileCatalyst Workflow 5.1.6 Build 130 (and earlier)
Severity
High
CVE
CVE-2024-5275
CWE
CWE-259:Use of Hard-coded Password
Discovery Date
13-May-2024
CSSv3.1
7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products
FileCatalyst Direct 3.8.10 Build 138 TransferAgent (and Earlier)
FileCatalyst Workflow 5.1.6 Build 130 (and earlier)
Vulnerability Notes
Remediation: Vendor Fix

For FileCatalyst Direct users, upgrade to 3.8.10 build 144 (or higher)
For FileCatalyst Workflow users, upgrade to 5.1.6 build 133 (or later)
For those using the FileCatalyst TransferAgent remotely, e.g., as a remote-controlled node accepting REST calls, update REST calls to "http". If "https" is still required, a new SSL key and add it to the agent keystore.

Please see the Knowledge Article "Action Required by June 18th 2024: FileCatalyst TransferAgent SSL and localhost changes" linked in this advisory.

 
References
 

References

 

Acknowledgements

Fortra would like to thank the following individuals:

  • Greg , Palmer Research