Truesec LAPSWebUI Browser Caching Vulnerability Allowing Privilege Escalation

A vulnerability in Truesec's LAPSWebUI prior to version 2.4 allows for the browser caching of local admin passwords. This issue enables an attacker with access to a workstation to escalate privileges by disclosing these cached passwords. The vulnerability arises because the application did not include proper cache control headers, allowing sensitive information to be stored in the browser cache and potentially accessed by others in shared browsing environments.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local admin passwords, allowing for privilege escalation on the affected workstation.

Reproduction

The vulnerability can be reproduced by accessing the 'GET /Home/Password' endpoint in a version of Truesec LAPSWebUI prior to 2.4. Without the 'Cache-Control' header to prevent caching, browsers like Mozilla Firefox can store the response, including sensitive data such as local admin passwords. This cached information can then be retrieved from the browser's cache storage.

Remediation

Users are advised to update to Truesec LAPSWebUI version 2.4 or later. If an immediate update is not possible, ensure that the web server hosting LAPSWebUI includes the 'Cache-Control: no-store' header in the response.