Hello Everybody,
recently we had a difficult to track and not reproducable problem and rarely occuring problem with our OpenVPN dial in connections (still open after several weeks). The sophos support switched on the DebugLogging without mentioning to us that this will log passwords for the user and admin webinterface, vpn dial in an, connections to backend systems (Active Directory LDAP).
After waiting some weeks to get the issue resolved I looked into this myself and noticed that that all passwords are exposed in the logfiles. This was not only all AD SSO user passwords but also high level administrative passwords that were granted permissions via Active Directory group membership to administrate the firewall devices. Although the administrations interface was strictly limited by ip (nobody can log in with this credential from a normal internet address) the security breach here is the exposed administrative password in the logfiles.
Operating Systems like Windows and Unix take big care not to expose their passwords in clear text and this can not be easily cracked - even by their administrators. Putting passwords in clear text in a logfile in a procedure that can easily be switched on by every administrator of the device is a MAJOR SECURITY ISSUE in my opinion. Think of a criminal administrator in a big company who switches this on an inpersonate the users and other administrators to do some illegal stuff in their names.
This should be switched off permanently ASAP in all production devices or at least all passwords need to be masqueraded.
How do you think about this?
This thread was automatically locked due to age.
