CVE-2022-25807: 
IGEL Universal Management Suite vulnerability analysis and mitigation

An issue was discovered in the IGEL Universal Management Suite (UMS) v6.07.100 that exposes Lightweight Directory Access Protocol (LDAP) bind credentials in encrypted and plaintext forms. This vulnerability allows a remote, authenticated attacker to obtain access to those credentials (Atredis Advisory).

The vulnerability exists in the LDAP authentication mechanism where the cmd_mgt_load_mgt_tree command instructs UMS to return data of type de.igel.rm.mgt.common.data.MgtTreeData that includes ADRootMasterData. This data contains Active Directory configuration information including the bind credentials used to search AD. The AD bind password is encrypted using DES with a hardcoded 8-byte static key that is known to both UMS and the UMS Console (Atredis Advisory).

The vulnerability allows remote authenticated attackers to obtain access to LDAP bind credentials, which could lead to unauthorized access to Active Directory services and potential compromise of directory services (Atredis Advisory).

The vendor recommends using only TLS-secured variants of LDAP access as a mitigation measure. Additionally, it is recommended to keep the UMS database and its backups under strict access control (Atredis Advisory).