CVE-2022-39013 Under certain conditions an authenticated attacker can get access to OS credentials

In order to protect applications against the access to OS credentials, we should consider the following measures: Control access to the system where the application is deployed.

Configure the application to only accept connections from trusted hosts.

Configure the application to close connections after a certain time period of inactivity.

In case of an application where the credentials are not stored in the database, consider using some form of state management such as Redis or some other data structure.

Application code should be written in a way that does not store credentials in the field where the credentials are visible to users.

Application code should be written in a way that does not allow the user to change the OS credentials.

Application should be designed in a way that does not allow any kind of OS credentials modification.

References:

1.   https://www.whitehatsec.com/blog/how-to-avoid-the-5-most-common-mistakes
2.   https://www.whitehatsec.com/blog/facebook

Timeline

Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/14/2022 15:27:00 UTC

References

• https://launchpad.support.sap.com/#/notes/3229132
• https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39013