CVE-2023-33283 - Marval MSM uses static encryption key for storing secrets

Description

Marval MSM uses a static encryption key for storing secrets in the database. An attacker that gains access to encrypted secrets can decrypt them using keys from another instance.

CVSS Score

5.1 - Medium

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Details of the vulnerability

Marval uses TripleDES with a static encryption key and IV when storing secrets and certain credentials to the database.

The encryption key is static and shared for all Marval instances. This makes it possible to decrypt secrets, such as stored credentials, from a database dump.

An attacker could use the static encryption key and IV from one instance to decrypt the secrets obtained from another instance.

This issue was identified in version 14.19.0.12476 but might affect earlier and later versions as well.

Remediation

The vendor is working on a fix, see vendor response.

Contact the vendor for further information/suggestions.

Vulnerability Disclosure Policy and Timeline

Vulnerabilites are disclosed, if not fixed earlier, after a minimum of 90 days from being reported to the vendor. If a patch is made available we give another 30 days in addition to the initial 90 days (90+30). This is to ensure that the vendor can inform customers and give them sufficient time to patch any vulnerable systems. We make all effort in to providing sufficient time for vendors to create and make patches available to the public before disclosure. For any questions regarding our vulnerability disclosures, feel free to contact us.

Vendor response

Discussions with the security consultant has highlighted the route needed to exploit this vulnerability. The complexity of steps involved are considerable and now understood. This scheduled for development later in the year to be resolved on or before the next LTS for 2024 under ticket MSM-7000.

The Marval Pen Test policy dictates at a minimum that once a year, a release is security hardened by outsourcing penetration testing to a certified partner and subsequent rectifying the serious and critical issues prior to release. This release is called a long-term support release (LTS) and made available between January-February each year.

Credits

References