Headline
CVE-2023-48055
SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.
# Cryptographic API Misuse Vulnerability : Do not use constant key for encryption ### Description: In the SuperAGI v0.0.13,which is a A dev-first open source autonomous AI agent framework. It utilizes a constant default key to encryption sensitive data. This practice undermines the security of the encryption scheme by making it vulnerable to various attacks, as the key can be extracted from the source code and used to decrypt sensitive data. `key = b’e3mp0E0Jr3jnVb96A31_lKzGZlSTPIp4-rPaVseyn58=’` ### Affected Version [v0.0.13](https://github.com/TransformerOptimus/SuperAGI/releases/tag/v0.0.13) ### Location: - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption_helper.py#L5 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption_helper.py#L7 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/helper/encyption_helper.py#L39 ### Reference - CWE-326: Inadequate Encryption Strength - CWE-259: Use of Hard-coded Password ### Expected Behavior: Encryption keys should be dynamically generated, securely managed, and should remain confidential to ensure the security of encrypted data. Ideally, the keys would be stored in a secure environment or retrieved from a secure key management service. ### Actual Behavior: - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/controllers/config.py#L69 - https://github.com/TransformerOptimus/SuperAGI/blob/4afbd7c04e368c7ed6c07fc0956f80b7a93ced19/superagi/models/models_config.py#L83 It use constant key function to encrypt the API key for configuration, as indicated in the referenced code snippets. `key = b’e3mp0E0Jr3jnVb96A31_lKzGZlSTPIp4-rPaVseyn58=’` This allows anyone with access to the codebase to easily compromise the encryption and decrypt any data encrypted with this key. ### Recommendation - Do not use constant key for encryption - Implement a process for securely generating and rotating encryption keys regularly - Use a secure key management system to store the encryption keys outside of the codebase It’s imperative to resolve this vulnerability to protect the data integrity and privacy of users of the SuperAGI framework. An immediate fix and release are recommended.