Coze Studio Hard-Coded Cryptographic Key Vulnerability in AES Encryption

A vulnerability exists in Coze Studio versions through 0.2.4, specifically within the AES encryption implementation in the file backend/domain/plugin/encrypt/aes.go. The vulnerability arises from the use of hard-coded cryptographic keys, which can be accessed by anyone with source code visibility. This issue allows for offline decryption of data encrypted with these keys. Additionally, the encryption method used is deterministic, meaning identical plaintexts result in identical ciphertexts, further exposing the encrypted data to potential attacks. The vulnerability can be exploited remotely, but the exploitation is considered difficult due to the high complexity involved.

Impact

The hard-coded keys in the AES encryption implementation compromise the confidentiality of encrypted data, allowing for offline decryption by anyone with access to the source code. This vulnerability is particularly concerning in multi-tenant or forked deployments, where the same keys may be shared across different environments, amplifying the risk of unauthorized data access.

Reproduction

The vulnerability can be reproduced by accessing the Coze Studio source code and locating the hard-coded encryption keys in the file backend/domain/plugin/encrypt/aes.go. The keys can then be extracted and used to decrypt any data encrypted with them, demonstrating the vulnerability's impact.

Remediation

A patch has been implemented and is available for download on the Coze Studio GitHub repository. This patch addresses the vulnerability by replacing the fixed IV with a random one, while maintaining backward compatibility. However, further actions are needed to remove the hard-coded keys and add an authentication tag to the encryption process.