NEMS Adagios exposes passwords on screen

Found something amiss in NEMS? Confirm first that you are running the latest version, and then post your bug report here.
Post Reply
Taomyn
Junior Member
Posts: 5
Joined: Fri Dec 11, 2020 10:57 am

NEMS Adagios exposes passwords on screen

Post by Taomyn »

Was diagnosing my first attempts to configure NEMS for my Windows servers when I saw to my amazement that my credentials are not protected:
Clipboard01.jpg
Clipboard01.jpg (7.08 KiB) Viewed 7833 times
I hid my private information in the shot but the password is there in clear text. I hope I'm not going to find this showing up more and more as I learn to configure and use NEMS.
User avatar
Marshman
Member
Posts: 67
Joined: Fri Feb 02, 2018 5:33 pm
Location: New York, USA

Re: NEMS Adagios exposes passwords on screen

Post by Marshman »

Taomyn,
Thank you for posting this and many apologies. I have notified Robbie by direct message and I am sure he will fix this as soon as possible. Robbie has very high standards about security and he will most likely reply as well when he sees this.

Again, thank you for posting and trying NEMS.
Best regards,

MarshMan  NY, USA
User avatar
Robbie Ferguson
Posting Freak
Posts: 835
Joined: Wed Mar 07, 2012 3:23 pm
Location: Ontario, Canada
Contact:

Re: NEMS Adagios exposes passwords on screen

Post by Robbie Ferguson »

Hi Taomyn,
When you configure your WMI user on your Windows host, you will configure it to only have access to WMI. That account should be a one-trick pony. Your screenshot clearly demonstrates why it is imperative that a user never enter their standard computer user credentials for a check with WMI.

As the administrator user of your NEMS Server, you can indeed see the credentials you have entered.

This is not a weakness in NEMS Linux specifically. This is by design of WMI and WMIC.

The key point to remember is that you are logged in to NEMS as the administrator user and therefore have access to private information such as this. A normal user on your network would not have access to this.

And I reiterate again: The WMI user on your Windows host must only have access to WMI components. This is a user you specifically configure on your Windows machine for WMI communications. Presumably, if you have configured WMI correctly, even if a malicious user on your network were to obtain the user login and password, they couldn't do much more with that then tell how much hard drive space you have free (for example).

This does raise our concerns about the dangers behind unknowing users "accidentally" entering something like administrator credentials for WMI checks, and therefore we will work on further strengthening the instructions regarding WMI user creation in the NEMS Documentation in an effort to keep users safe from potentially risky situations (such as using a Windows user account with admin access to access WMI).

Cheers!
Robbie // The Bald Nerd
Post Reply