Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2014-4875
Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key in the CreateBossCredentials.jar file. An attacker that can access the bossinfo.pro file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials.
A remote, authenticated attacker may be able to acquire privileged credentials to the BOSS database.
Apply an update
Thanks to David Odell for reporting this vulnerability.
This document was written by Todd Lewellen and Joel Land.
|Date First Published:||2015-06-08|
|Date Last Updated:||2015-06-08 13:54 UTC|