Vulnerability Note VU#301788
Toshiba CHEC contains a hard-coded cryptographic key
Original Release date: 08 Jun 2015 | Last revised: 08 Jun 2015

Overview
Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key.

Description
CWE-321: Use of Hard-coded Cryptographic Key – CVE-2014-4875
Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key in the CreateBossCredentials.jar file. An attacker that can access the bossinfo.pro file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials.

Impact
A remote, authenticated attacker may be able to acquire privileged credentials to the BOSS database.

Solution
Apply an update

Toshiba has addressed this issue by removing CreateBossCredentials.jar in versions 6.6 build level 4014 and 6.7 build level 4329. Users are advised to upgrade to latest version available and to ensure that the CreateBossCredentials.jar file has been removed.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedToshiba Commerce SolutionsAffected06 Aug 201402 Jun 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal
4.3
E:POC/RL:U/RC:UR

Environmental
4.5
CDP:LM/TD:M/CR:M/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/321.html

Credit

Thanks to David Odell for reporting this vulnerability.
This document was written by Todd Lewellen and Joel Land.

Other Information

CVE IDs:
CVE-2014-4875

Date Public:
08 Jun 2015

Date First Published:
08 Jun 2015

Date Last Updated:
08 Jun 2015

Document Revision:
22

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply