Vulnerability Note VU#301788

Toshiba CHEC contains a hard-coded cryptographic key

Original Release date: 08 Jun 2015 | Last revised: 08 Jun 2015

Overview

Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key.

Description

CWE-321: Use of Hard-coded Cryptographic Key - CVE-2014-4875

Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key in the CreateBossCredentials.jar file. An attacker that can access the bossinfo.pro file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials.

Impact

A remote, authenticated attacker may be able to acquire privileged credentials to the BOSS database.

Solution

Apply an update

Toshiba has addressed this issue by removing CreateBossCredentials.jar in versions 6.6 build level 4014 and 6.7 build level 4329. Users are advised to upgrade to latest version available and to ensure that the CreateBossCredentials.jar file has been removed.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Toshiba Commerce SolutionsAffected06 Aug 201402 Jun 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal 4.3 E:POC/RL:U/RC:UR
Environmental 4.5 CDP:LM/TD:M/CR:M/IR:ND/AR:ND

References

Credit

Thanks to David Odell for reporting this vulnerability.

This document was written by Todd Lewellen and Joel Land.

Other Information

  • CVE IDs: CVE-2014-4875
  • Date Public: 08 Jun 2015
  • Date First Published: 08 Jun 2015
  • Date Last Updated: 08 Jun 2015
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.