42Gears Security and Compliance Standards

Advisory ID: 42G-2023-002

Shortened Description: Plaintext Password in Registry

Explanation:

Severity (CVSSv3 Range): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Published: 2023-04-27

Issue date: 2023-04-27

Updated on: 2023-04-28

CVE(s): CVE-2023-2335

Impacted products: Surelock Windows from 2.3.12 through 2.40.0

Affected component: Autologon feature, Windows registry

Vulnerability Overview: Unencrypted password in windows registry allows an individual with administrative privileges and access to registry values can obtain it.

Known Attack Vectors: A malicious actor need to have local system access to view registry or Remote registry service turned to view registry over the same network

Mitigations: Upgrade to Surelock windows v2.41.0

Acknowledgements: 42Gears would like to thank Philips India for responsibly reporting this issue to us

Reference:

https://www.cve.org/cverecord?id=CVE-2023-2335

https://nvd.nist.gov/vuln/detail/CVE-2023-2335