CVE-2023-36647: CVCN

A hard-coded cryptographic private key used to sign JWT authentication tokens in ProLion CryptoSpike 3.0.15P2 allows remote attackers to impersonate arbitrary users and roles in web management and REST API endpoints via crafted JWT tokens

Introduction

The CryptoSpike system installation packages consist of OVA/OVF files that, once deployed on hypervisors, start the installation steps to obtain a running Docker environment.

By analyzing the Docker configuration files and the host server file system, it is verified that the RSA key pair used by the system to sign and verify JWT token is not randomly generated during the system installation/initialization, in fact being hard-coded inside the OVA/OVF packages, thus resulting in JWT token being valid for all customers deployed instances.

Steps to reproduce

Deploy the CryptoSpike Leader OVA file two times on a hypervisor and wait until the initial startup sequence is completed.

Connect in SSH to the two running servers and compare the content of the file containing the RSA private key at the path /prolion/config/core_services/auth_service/keys/priv.pem, for example:

As shown in the picture above, the key pair is identical. Despite the private key being encrypted, by analyzing the docker-compose.yml file in the core_services service group, it is possible to find the password which allows to easily decrypt the private key.

Additionally, there is no evidence of a procedure to generate a new private key inside product documentation or inside support scripts in the Leader server file system.