CWE-313: Cleartext Storage in a File or on Disk

What is Cleartext Storage in a File or on Disk?

• Overview: Cleartext Storage in a File or on Disk refers to a vulnerability where sensitive information is stored in an unencrypted format, making it easily accessible to unauthorized users who gain access to the file or storage medium.

• Exploitation Methods:

• Attackers can exploit this vulnerability by gaining access to file systems or disk storage where sensitive data is stored in cleartext.
• Common attack patterns include unauthorized file access, disk imaging, and leveraging administrative privileges to read sensitive files.

• Security Impact:

• Direct consequences of successful exploitation include unauthorized access to sensitive data such as passwords, personal information, or proprietary data.
• Potential cascading effects involve further data breaches, privilege escalation, and increased vulnerability to social engineering attacks.
• Business impact could include loss of customer trust, legal penalties, financial loss, and damage to brand reputation.

• Prevention Guidelines:

• Specific code-level fixes include implementing encryption for sensitive data before storing it on disk or in files.
• Security best practices involve regularly auditing file storage for sensitive data, using secure storage mechanisms, and ensuring access controls are properly configured.
• Recommended tools and frameworks include using well-established encryption libraries (e.g., OpenSSL, Bouncy Castle) and incorporating secure storage solutions like hardware security modules (HSMs) or secured cloud services.

Corgea can automatically detect and fix Cleartext Storage in a File or on Disk in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import os

def store_passwords_in_cleartext(passwords):
    with open('passwords.txt', 'w') as f:
        for username, password in passwords.items():
            f.write(f'{username}:{password}\n')  # Vulnerable: Writing passwords directly to file in cleartext

if __name__ == "__main__":
    user_passwords = {
        'user1': 'password123',
        'user2': 'securepassword',
    }
    store_passwords_in_cleartext(user_passwords)

Explanation:

• Vulnerability: This code stores sensitive data, such as passwords, directly on disk in cleartext. This means anyone with access to the file can read the passwords.
• Risk: Unauthorized access to the file can lead to credential exposure and potential system compromise.

How to fix Cleartext Storage in a File or on Disk?

To mitigate this vulnerability, sensitive information should be encrypted before being stored on disk. Using a library like cryptography in Python allows for secure encryption of data. This ensures that even if the file is accessed by unauthorized users, the data remains unintelligible.

Best Practices:

• Use strong encryption algorithms (e.g., AES).
• Securely store encryption keys separately from the encrypted data.
• Regularly rotate encryption keys and use a secure key management system.

Fixed Code Example

from cryptography.fernet import Fernet
import os

def generate_key():
    return Fernet.generate_key()

def store_encrypted_passwords(passwords, key):
    fernet = Fernet(key)
    with open('passwords.enc', 'wb') as f:  # Using a secure file extension for encrypted data
        for username, password in passwords.items():
            encrypted_password = fernet.encrypt(password.encode())  # Encrypting passwords before storage
            f.write(f'{username}:{encrypted_password.decode()}\n'.encode())  # Writing encrypted data to file

if __name__ == "__main__":
    user_passwords = {
        'user1': 'password123',
        'user2': 'securepassword',
    }
    encryption_key = generate_key()
    store_encrypted_passwords(user_passwords, encryption_key)
    # Important: Store the encryption_key securely and separately from the data file

Explanation:

• Fix: The improved code uses the cryptography library to encrypt passwords before writing them to disk, ensuring the data is protected.
• Security Controls:
  • An encryption key is generated using Fernet.generate_key().
  • Each password is encrypted with the Fernet object before being stored.
  • Encrypted passwords are stored in a file with a .enc extension to signify encrypted content.
• Key Management: The encryption key should be stored in a secure location, separate from the encrypted data, and handled with care to prevent unauthorized access.