Docusnap Hard-Coded Cryptographic Key Vulnerability Allowing Decryption of Sensitive Inventory Files

A vulnerability exists in Docusnap versions through 13.0.1440.24261 and in all subsequent versions, involving a hard-coded cryptographic key. This key can be extracted from the .NET application and used to decrypt inventory files that contain sensitive information, such as firewall rules, installed programs, and local administrator details. The encryption method employs AES in CBC mode, with a static key and initialization vector. While the vulnerability primarily affects Windows inventory files, similar encryption is used for Linux files, albeit with a different key management approach.

Impact

The vulnerability allows for unauthorized decryption of Docusnap inventory files, disclosing sensitive information that could facilitate further attacks. Despite the potential for misuse, the overall security risk is considered low, given the access requirements and the nature of the information involved.

Reproduction

The vulnerability can be reproduced by downloading the Docusnap .NET application from the vendor's website. After installation, the hard-coded AES key can be extracted using .NET reflection. This key can then be used to decrypt any Windows Docusnap inventory file, which is saved as an encrypted XML document on a network share. The decrypted file can be processed to reveal its contents, including sensitive information such as firewall rules and local administrator lists.

Remediation

Users are advised to adjust the access control list (ACL) of the file share where inventory files are stored, restricting read access to prevent unauthorized users from accessing these files. Additionally, Docusnap should implement a more secure encryption method, such as asymmetric encryption with unique keys for each installation, to protect the inventory files.