NeuVector, Hard-Coded Cryptographic Key, CVE-2024-57170 (Critical)

By /

Listen to this Post

NeuVector’s vulnerability stemmed from the use of a static, hard-coded encryption key compiled directly into its source code. This key was responsible for encrypting all sensitive configuration data the platform stored. Because the key was identical across all NeuVector deployments, any attacker who obtained the encrypted data could easily decrypt it if they also discovered or reverse-engineered the embedded key. The attack vector involves an adversary gaining access to the encrypted configuration storage, extracting the data, and using the universally known hard-coded key to decrypt it, thereby exposing all protected settings and secrets. In the patched versions, NeuVector replaced this static key with a dynamically generated, unique key stored as a standard Kubernetes Secret, which is a far more secure practice. During an upgrade, the controller automatically re-encrypts any data found with the old key using the new, secure key, provided it has the necessary RBAC permissions to access the new secret.
Platform: NeuVector
Version: < v5.4.7
Vulnerability: Hard-coded Key
Severity: Critical

date: 2024

Prediction: 2024-Patch-Exists

What Undercode Say:

strings neuvector-controller | grep -i "encryption.key"
kubectl get secret neuvector-store-secret -n neuvector -o yaml
kubectl auth can-i get secret -n neuvector
kubectl logs deployment/neuvector-controller -n neuvector | grep "RBAC"

How Exploit:

Extract encrypted configuration data from a NeuVector deployment. Use the publicly discoverable hard-coded key to decrypt the data, revealing all sensitive configuration secrets.

Protection from this CVE

Upgrade NeuVector to version v5.4.7 or later. Ensure the NeuVector controller ServiceAccount has the necessary RBAC permissions to access the `neuvector-store-secret` in the `neuvector` namespace.

Impact:

Full compromise of sensitive configuration data encrypted by NeuVector, including potential exposure of credentials and security policies.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top