Reolink Desktop Application Hardcoded Initialization Vector Vulnerability in AES-CFB Encryption
Vulnerability
A vulnerability exists in the Reolink Desktop Application version 8.18.12 due to the use of hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation. This flaw allows attackers with access to the application environment to reliably decrypt encrypted configuration data. The IV, although generated at runtime, is always the same, effectively compromising the encryption by allowing predictable decryption of sensitive data.
Impact
Exploitation of this vulnerability allows for the decryption of encrypted configuration files and other sensitive data, thereby compromising data confidentiality.
Reproduction
While the application is running, the hardcoded IV value can be retrieved through the DevTools JavaScript console. The function 'window.napiDecrypt.getAesIv()' returns a Promise that resolves to the constant string 'bcswebapp1234567'. This demonstrates that the IV is reused across all encryption operations, violating cryptographic best practices.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.