Headline
CVE-2022-26660: RunAsSpc vulnerable security problem
RunAsSpc 4.0 uses a universal and recoverable encryption key. In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used.
Security
Universal encryption key is used in RunAsSpc 4.0
Specification on Mitre CVE-2022-26660
RunAsSpc 4.0.0.0 use a universal and recoverable encryption key.
In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used, because encryption key is universal.
Recovery of the password used for encryption can used for Identity theft and privilege escalation.
The password must be store reversible to call the application with that encrypted account.
Reversible credentials are unsafe, because it can be decrypted reverse or intercepted while it is passed to the system.
See also Microsoft Docs Store passwords >> Data protection
Solution:
- We recommend not using critical credentials with far-reaching privileges in the encrypted file.
- Modify the password after the job is done.
- Patched since version 4.1. No longer a universal key.
- Use the further development RunAsRob without stored credentials.
Vulnarable is notified on 2022-03-01.
Thanks for the responsible disclosure to the cyber security team INTRINSEC
intrinsec.com
Date: 2022-03-07
Data protection
Imprint