LMG Security, an internationally recognized cybersecurity consulting firm, has discovered a new vulnerability involving a Fortune 500 company’s software static encryption key. Any adversary with access to this specific software can use this key to decrypt the administrative credentials for VMware‘s vCenter and leverage this access into a complete takeover. This type of vulnerability can easily be used in a zero-day attack. Discovered by Tom Pohl, LMG Security‘s penetration testing team manager, this information is being released at Pohl‘s DEFCON session, “Private Keys in Public Places.”
“Attackers are looking for private keys,” said Tom Pohl, penetration testing team manager at LMG Security. “While we were doing a penetration test, I discovered a static AES encryption key within the company’s Compellent Integration Tools for VMware (CITV).Once I retrieved the AES key, I was able to use it to decrypt the vCenter administrative credentials and gained complete access over their VMware environment.”
CIO INFLUENCE: CIO Influence Interview with Russ Ernst, Chief Technology Officer at Blancco
“This key is the same for EVERY customer!” Pohl continued. “If a criminal leverages this vulnerability, they could use it against any of this company’s customers. Firmware and software binaries are littered with private keys that are hidden but not necessarily secured. We need to raise awareness of the risks stemming from this attack vector. “This discovery was reported to the company with the standard 90-day window to fix the issue before this announcement.
Pohl says that if criminals find old, private keys for many firmware devices they can use them to breach the systems of a wide array of organizations. From there, they can expand their access and privileges to take control of the victims’ networks. Software vendors should take steps to secure these private keys, and organizations should always be vigilant about checking the security controls used by their current and prospective suppliers. Pohl also recommends organizations conduct penetration testing at least annually, so expert white hat hackers can identify your security gaps before an attacker breaches your environment.
CIO INFLUENCE: CIO Influence Interview with Bill Lobig, VP of Product Management at IBM Automation
[To share your insights with us, please write to sghosh@martechseries.com]
