################################################################################ # # COMPASS SECURITY ADVISORY # https://compass-security.com/en/research/advisories # ################################################################################ # # Product: NetCrunch # Vendor: AdRem # CSNC ID: CSNC-2019-017 # CVE ID: CVE-2019-14482 # Subject: Hardcoded SSL Private Key # Risk: High # Effect: Remotely exploitable # Authors: Sylvain Heiniger # Thierry Viaccoz # Fabio Poloni # Date: 26.07.2019 # ################################################################################ Introduction: ------------- NetCrunch [1] is a so-called "agentless" monitoring solution developed by AdRem. It allows system administrators to monitor, visualize and get alerts from many kinds of systems in their network. The solution consists of a server and a fat client (also called console), as well as a web client. Due to its architecture, the monitoring server is a critical system as it holds credentials, most of the time privileged, for all monitored system. Compass Security identified a hardcoded SSL private key vulnerability in the AdRem NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. Affected: --------- Initially vulnerable: * AdRem NetCrunch 10.6.0.4587 Not vulnerable: * AdRem NetCrunch 11.0.0.5282 No other version was tested, but it is believed that older versions are also vulnerable. Technical Description: ---------------------- Upon installing NetCrunch, if "Use OpenSSL" is chosen and "Let me specify secure OpenSSL key and certificate files" is not selected, the following warning message is displayed: "Temporary keys will be used. Not recommended for access from public network!". The keys used are not generated for the installation but are hardcoded and shared between all installations of NetCrunch. The following certificate is used for all new installations of NetCrunch: $ openssl x509 -text -noout -in AdRemNetCrunch.crt Certificate: Data: Version: 1 (0x0) Serial Number: c0:80:51:c0:8d:90:9b:2a Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, ST = New York, L = New York, O = AdRem Software, CN = AdRem Software, emailAddress = support@adremsoft.com Validity Not Before: Jan 13 12:22:09 2012 GMT Not After : Jan 13 12:22:09 2022 GMT Subject: C = US, ST = New York, L = New York, O = AdRem Software, CN = AdRem NetCrunch, emailAddress = support@adremsoft.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit) Modulus: 00:a7:d1:f8:dd:a3:76:ca:af:2a:bb:49:03:9c:a3: 93:ec:84:c0:5a:29:6e:68:14:fe:07:e2:7b:a7:66: fb:2e:67:c2:a5:e7:fa:dc:4d:72:94:54:1b:32:16: c1:57:20:37:1f:1c:ce:3d:58:92:5b:d8:be:04:3a: 8e:07:26:0d:16:ca:d1:d9:2b:46:f8:1a:58:dd:58: 10:a7:35:73:5e:4b:f6:5c:30:70:1d:7b:62:f2:1f: 85:91:bd:b8:58:15:cc:a5:f6:63:6c:b5:fc:30:fd: 16:ed:3f:e8:4e:2f:a4:2d:73:80:09:f7:ba:fb:ef: 46:93:ed:7c:44:2c:10:f1:d9 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 0e:08:c1:ad:2f:bc:49:ea:a0:7d:2f:50:6e:18:9f:18:d4:8d: 05:ce:38:39:da:bf:fe:ef:57:76:2b:5a:c8:6e:c6:8d:e6:3b: 54:cf:63:5f:ef:3b:bd:53:e4:34:80:7e:94:16:26:7c:ac:86: ba:50:5e:3b:56:ee:b4:60:15:a2:3a:bf:e7:89:7c:b0:ed:2b: 57:48:dd:1c:3d:d7:e6:e7:ee:ca:ef:ba:41:1e:b5:89:0f:ac: a4:27:7d:c7:d0:b1:7a:5d:e3:70:70:95:40:55:65:44:be:45: 4d:34:d9:0b:3f:6f:26:f8:5a:fb:53:e3:21:d3:cc:06:b1:b9: 3b:fb Workaround / Fix: ----------------- Generate a new certificate for all new installations of NetCrunch. As a NetCrunch customer, update your installation to the latest version to receive the fix. Timeline: --------- 2019-05-23: Discovery by Sylvain Heiniger, Thierry Viaccoz and Fabio Poloni 2019-08-01: Assigned CVE-2019-14482 2019-08-29: Initial vendor notification 2020-12-08: Coordinated public disclosure date References: ----------- [1] https://www.adremsoft.com/