Vulnerability Note VU#301788
Toshiba CHEC contains a hard-coded cryptographic key
Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2014-4875
Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key in the CreateBossCredentials.jar file. An attacker that can access the bossinfo.pro file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials.
A remote, authenticated attacker may be able to acquire privileged credentials to the BOSS database.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Toshiba Commerce Solutions||Affected||06 Aug 2014||02 Jun 2015|
CVSS Metrics (Learn More)
Thanks to David Odell for reporting this vulnerability.
This document was written by Todd Lewellen and Joel Land.
- CVE IDs: CVE-2014-4875
- Date Public: 08 Jun 2015
- Date First Published: 08 Jun 2015
- Date Last Updated: 08 Jun 2015
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.