An unfixed hardcoded encryption key flaw in Dell’s Compellent Integration Tools for VMware (CITV) allows attackers to decrypt stored vCenter admin credentials and retrieve the cleartext password.

The flaw is caused by a static AES encryption key, shared across all installs, that is used to encrypt the vCenter credentials stored in the program’s configuration file.

Dell Compellent is a line of enterprise storage systems offering features such as data progression, live volume, thin provisioning, data snapshots and cloning, and integrated management.

The software supports storage integration with VMware vCenter, a widely used platform for managing ESXi virtual machines.

However, to integrate the client, it must be configured with VMware vCenter credentials, which are stored in the Dell program’s encrypted configuration file.

A hardcoded AES encryption key

LGM Security’s researcher Tom Pohl, discovered in a penetration exercise that Dell CITV contains a static AES encryption key that is identical for all Dell customers across all installs.

This AES encryption key is used to encrypt the CITV configuration file containing the program’s settings, including the entered vCenter admin credentials.

As AES is a symmetric cipher, it uses the same key for encrypting and decrypting data. This allows an attacker who extracts the key to easily decrypt the configuration file and retrieve the encrypted password.

“The Dell software needs administrative vCenter credentials to function correctly, and it protects those credentials in their config files with a static AES key,” Pohl told BleepingComputer.

“Dell is interacting with vCenter servers, and is keeping its credentials in an encrypted confih file that should be completely inaccessible for viewing by anything or anyone other than the Dell software.”

“Attackers should not be able to get access to the contents of that file, but it is accessible. However, due to this newly discovered vulnerability, attackers can extract the encryption key that the Dell software is using to protect the contents of that file.”

LGM Security’s team found that the Dell Compellent software directory contains a JAR file that, when decompiled, revealed a hardcoded static AES key.

JAR file in a Compellent directory
JAR file in a Dell Compellent directory (LGM Security)

Using this AES key, Pohl could decrypt the Dell Compellent configuration file and retrieve the user name and password for the VMware vCenter administrator, as shown below.

Decrypting admin credentials using the recovered AES key
Decrypting admin credentials using the recovered AES key (LGM Security)

The server containing that key was accessible using weak credentials (admin/admin). However, as seen repeatedly, threat actors can gain access to servers in various ways due to vulnerabilities or bad practices.

Also, the issue could be exploitable by rogue insiders or low-privileged external attackers who have access to Dell CITV.

In this instance, the LGM team could have gone further by leveraging access to domain controls but instead opted to create a domain admin account, exploiting the opportunity when a network admin mistakenly left their console unlocked.

Accessing the exposed vCenter server
Accessing the exposed vCenter server (LGM Security)

The analysts emailed Dell to inform them about their discovery on April 11th, 2023, but the computer and software vendor initially dismissed the report, misunderstanding the scope.

After further communication, Dell promised to roll out a fix by November 2023.

As the standard 90-day vulnerability disclosure policy has expired, Pohl has publicly shared his research in a DEFCON session titled “Private Keys in Public Places.”

Pohl discovered similar hardcoded keys in Netgear and Fortinet in 2020, which were subsequently fixed.

Source link