Summary

The Cato Client was found to store authentication data within the trace logs generated by the desktop client during SSO authentication.

Impact

A low-privileged, local attacker could obtain the authentication data stored within the Cato Client trace logs, and re-use it to connect to the VPN from an unauthorised device.

Affected Versions

Windows Client version 5.10.26, and below.

Details

The Cato Client desktop component was configured to store “trace” logs in the following location on disk:

C:\Users\<USER>\AppData\Local\Temp\CatoClient.Trace.*.log

This is configured in the .config file stored at:

C:\Program Files (x86)\Cato Networks\Cato Client\CatoClient.exe.config

Inspecting the decompiled source code for the CatoNetworks.CatoRollingTextWriterTraceListener class, we can see that the client will log to the folder specified by result of Path.GetTempPath(), which for a normal (non-SYSTEM) user, will be C:\Users\<USER>\AppData\Local\Temp.

This means that the resulting log file can be read by the user running the CatoClient.exe desktop client.

During testing, it was identified that the web server, which runs on localhost during SSO authentication, would log the RawUrl property of the HTTP request during the httpListenerCallback of the CatoNetworks.Model.CatoHttpListener class as shown below:

This RawUrl would typically contain the full config file which is returned by the Cato SSO Web Service, meaning that the full, un-obfuscated config file would be logged to a user-readable location as shown in the log snippet below:

An attacker with low-privileged remote access to the user’s machine, or a malicious local user, could extract this config data from the log file and replay it to an unauthorised machine in order to gain access to the VPN.

The following screenshot shows how it was possible to replay this URL to another machine in order to authenticate to the VPN:

Mitigation Steps

Install version 5.10.34, or later.