Reolink Desktop Application AES Encryption Vulnerability

A vulnerability exists in the Reolink desktop application version 8.18.12, where a hard-coded and predictable AES encryption key is used to encrypt user configuration files. This flaw allows attackers with local access to decrypt sensitive application data stored in the user's AppData directory. The encryption key is derived from a predictable string, leading to the exposure of confidential information.

Impact

Exploitation of this vulnerability allows for the decryption of sensitive user data, including application configuration files, which could lead to unauthorized access or manipulation of user settings.

Reproduction

The vulnerability can be reproduced by accessing the file '%APPDATA%\com.reolink.app.client', which contains a base64-encoded and encrypted string. The application uses a hard-coded string 'com.reolink.app' to generate the AES key, along with a static initialization vector (IV). After decrypting the string, the resulting UUID format string is hashed and used to decrypt the user's configuration file, '<UUID>.json', located in the '%APPDATA%\reolink\' directory.

Remediation

It is recommended to avoid using hard-coded static strings as encryption keys. Instead, utilize strong, validated secure keystores provided by the operating system, such as Windows DPAPI or macOS Keychain, to protect sensitive credentials.