I discovered bad security defect in Dude - it is possible to read passwords of devices monitored by Dude by users which do not have the “sensitive” policy enabled. This way such read-only dude user can for example login to router with winbox, if such tool using password entered in device settings is defined in Dude.
How to reproduce:
- enter password for some device in device settings in Dude
- define new dude Tool, name it for example “Pwd” and enter this command: http:///[Device.Password]
- create new user “dude” and add it to group with only dude policy enabled (sensitive and password policies not checked)
- login to Dude client with user dude
- run “Pwd” tool on the device - it opens browser with device password in URL
Please fix this ASAP, as this bug blocks our usage of Dude for tech support staff with read-only privileges.