StrongDM Desktop Application Authentication State Storage Vulnerability on Windows

A vulnerability exists in the StrongDM Desktop Application for Windows, all versions prior to 23.74.0, and the StrongDM Desktop Client, all versions prior to 53.77.0. These applications store authentication state, including a JSON Web Token and asymmetric key material, in cleartext within a per-user state file located at C:\Users\<username>\.sdm\state.kv. This file is only protected by default user-level NTFS permissions. Exploitation of this vulnerability requires local read access to the affected user's profile directory, along with additional deployment and execution conditions on the target host.

Impact

This vulnerability allows for unauthorized access to sensitive authentication information, including tokens and key material, which could be misused to impersonate the user or gain unauthorized access to resources.

Remediation

Users should update to StrongDM Desktop Application version 23.74.0 or StrongDM Desktop Client version 53.77.0 or later.