Plugin AD Machine Clean UP Password shown in clear...

GMCON · ‎06-07-2016

I am on vRealize 7.0.1 and I have plugin AD cleanup properties set for each domain and I of course have the password encrypted and it shows encrypted when I look at the properties. Yet I just noticed that if you select a Machine on the Items tab and then "View Parent Details" go to the properties tab and it will show you the Password in Plain text. This seems like a bad security flaw that you would keep it encrypted but then show it in plain text where every user can see it. Anyone else see this?

jmschulman · ‎06-08-2016

Hey there - thanks for reporting this. Could you provide some additional reproduction steps here? I'd be very interested to verify this behavior and see about getting it fixed.

CSvec · ‎06-13-2016

I decided to try this myself and it seems pretty easy to recreate. Add a custom property to any blueprint, check encrypted. It will be hidden properly. But if you provision any host and view parent and properties all fields will be displayed in plain text.

I tried this with a Property Definition of both String and Secure String (side note: Secure String still shows as "String" on the Property Definitions root page, which is a bit confusing.) Both will show a plain text output under View Parent Details.

The field will be appropriately *****'d out if you simply view details on the resulting Machine.

edit: for clarity, this is running vRA 7.0.0, Build 3292778

jmschulman · ‎06-13-2016

Thanks for the input here. I am definitely looking into this matter and appreciate you bringing it to our attention.

All

Plugin AD Machine Clean UP Password shown in clear text