Gladinet CentreStack and Triofox, Hardcoded AES Key Vulnerability, CVE-2024-21499 (High)

Listen to this Post

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 implemented AES encryption with hardcoded keys and initialization vectors, compromising cryptographic security. These static values are embedded in the software code, making them easily discoverable through binary analysis. Attackers can exploit this by crafting unauthenticated requests to public endpoints, using the known keys to decrypt sensitive data or encrypt malicious payloads. This leads to arbitrary local file inclusion, allowing access to server files like configuration or system files. The vulnerability degrades all security mechanisms relying on this AES scheme, exposing data in transit or at rest. With network access and no user interaction, attackers can leverage this to gain initial footholds. When chained with other vulnerabilities, it facilitates privilege escalation and full system compromise. The hardcoded keys remove the uniqueness required for secure encryption, rendering the protection ineffective. This weakness is particularly critical in exposed endpoints, enabling further exploitation without detection.
Platform: Gladinet CentreStack Triofox
Version: Before 16.12.10420.56791
Vulnerability: Hardcoded AES key
Severity: High
Date: 2024-02-29

Prediction: Patch expected 2024-03-01

What Undercode Say:

Analytics:

– `strings /opt/triofox/ | grep -i “aes\|key\|iv”`
– `openssl enc -aes-256-cbc -d -in encrypted.bin -K 48617264636f646564 -iv 0`
– `curl -X POST http://target/endpoint -d “exploit_payload”`

How Exploit:

  • Extract hardcoded keys from binaries.
  • Craft encrypted requests for file inclusion.
  • Read local files via exposed endpoints.
  • Chain with other vulnerabilities.

Protection from this CVE:

  • Update to patched version.
  • Use unique encryption keys.
  • Implement authentication controls.

Impact:

  • Data confidentiality loss.
  • Arbitrary file read.
  • System compromise potential.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top