漏洞标题
MobaXTerm <25.0 中敏感信息的不安全存储
漏洞描述信息
该漏洞存在于Mobatek的MobaXterm 25.0版本之前的密码存储功能中。MobaXterm使用一个由用户主密钥的派生加密空字节生成的初始化向量(IV)。由于主密钥是静态的,并且AES ECB在相同输入下会生成相同输出,因此AES CFB的IV始终相同。静态的IV使得更容易获取敏感信息并解密存储的数据。
CVSS信息
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
使用不充分的随机数
漏洞标题
Insecure storage of sensitive information in MobaXTerm <25.0.
漏洞描述信息
The vulnerability exists in the password storage of Mobateks MobaXterm in versions below 25.0. MobaXTerm uses an initialisation vector (IV) consisting only of zero bytes and a master key to encrypt each password individually. In the default configuration, on opening MobaXTerm, the user is prompted for their password. A derivative of the password is used as the master key. As both the master key and the IV are the same for each stored password, the AES CFB ciphertext depends only on the plaintext (the password). The static IV and master key make it easier to obtain sensitive information and to decrypt data when it is stored at rest.
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
漏洞类别
N/A