CVE-2022-45546
Last updated
Last updated
ScreenCheck BadgeMaker is a suite of applications that allow clients to design, create and operate identity badges. The suite consists of:
BadgeMaker Identity. Application used to authenticate into the Share Server database and manage information inside.
BadgeMaker Design. Responsible for designing and creating badges.
BadgeMaker Share Server. Database server responsible for holding all of the information stored in badges.
BadgeMaker v2.6.2.0 and below allow unencrypted plain-text traffic to flow in the network. The design choice of transmitting information create an opportunity for internal personnel to sniff the traffic, thus allowing obtaining credentials used to authenticate into the Share Server and viewing information exchanged between Share Server database and Identity client.
For the simplicity of vulnerability, not much is required besides basic knowledge of Wireshark. Example below will provide a look of how the traffic looks when attempting to authenticate using incorrect credentials and correct credentials.
Some of the information has been redacted for obvious reasons.
There is no reason to have plain-text unencrypted traffic flowing freely in the traffic, especially when it comes to credentials and sensitive information. Implementing encryption is a necessity. Until the security feature is implemented, isolate Share Server database and Identity clients from the rest of the network to mitigate information disclosure vulnerability.