hMailServer Hardcoded Cryptographic Key Vulnerability in Password Encryption

A vulnerability exists in hMailServer versions 5.8.6 and 5.6.9-beta due to the use of a hardcoded cryptographic key in the file Encryption.cs. This flaw allows an attacker to decrypt passwords stored in the hMailAdmin.exe.config file, which contains credentials for accessing other hMailServer admin consoles. The vulnerability arises because the encryption key and initialization vector (IV) are derived from a hardcoded password and salt, enabling the decryption of passwords for server connections configured in the admin GUI.

Impact

Exploitation of this vulnerability leads to unauthorized access to hMailServer admin consoles by allowing attackers to decrypt and retrieve passwords for server connections.

Reproduction

The vulnerability can be reproduced by creating a new server connection in the hMailServer Admin GUI and saving the password. This action encrypts the password using a hardcoded key, which can then be decrypted using the same key, exploiting the vulnerability.