-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-039 Product: MIK.starlight Server Manufacturer: MIK GmbH Affected Version(s): - Tested Version(s): 7.9.5.24363 Vulnerability Type: CWE-321: Use of Hard-Coded Cryptographic Key Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-07-02 Solution Date: - Public Disclosure: 2021-08-27 CVE Reference: CVE-2021-36234 Author of Advisory: Nicola Staller, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The MIK.starlight server is a web server that provides the basis for the MIK.starlight suite. The manufacturer describes the product as follows (see [1]): "MIK.starlight suite offers exceptional customisable user interfaces for data analytics and reporting. With our self-service business intelligence solutions, users can easily create their own reports or adapt existing ones, freeing up time and ensuring optimum flexibility." Due to the use of hard-coded cryptographic keys, encrypted passwords may be recovered. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The MIK.starlight server offers a multitude of functions that can be called through a WCF endpoint. One of them is the function "AddLogin". The function writes user credentials to a file and encrypts them using a static encryption key. The credentials can thus be decrypted by anyone with knowledge of this key. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): - - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS is not aware of a solution for the described security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-07-02: Vulnerability reported to manufacturer 2021-08-27: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for MIK.starlight https://www.mik.de/starlight-bi-suite-2/ [2] SySS Security Advisory SYSS-2021-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-039.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Nicola Staller of SySS GmbH. E-Mail: nicola.staller@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc Key ID: 0x41DD2290 Key Fingerprint: A127 394A F398 B097 2332 637C 9DF3 39F9 41DD 2290 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmEnTyoACgkQnfM5+UHd IpC5Qw/+PCLh+kCoL3edhoruleyX41RXiYc1yGKbcUa1AvjHsy0aHhZHdlvqprAL 15AumRwpTCxIZN9uGDMpIKmWd7f5H6yvkQOkQW2eIeYUarYSXV2pLQmzw8/b1Ulp 5QrWJ0d+yZ424U+oLY1HmnCYYc8V6bReRPd+rrCDxVWnEXN1LOCuHjn6L5BmdPc0 gccl+45Iq+1qvZkDWBb7TJSkyWtmF19z4v1mK3WBPfxJhO7vCc+Tt9QM4tEf1j6v 8UhCp/uUYEm3Kt+56MRm/W6PjVftnMX3IuNypf0BXLYmIvHsZ5gRRyhLXk/azXYp +b0y43VM2NLbPKGMkvtvh3pDv8222WHdXZtpL3nAmj3tI8y7n7jw9ns8+k6HIkOM Ie+OIHQ35K4YKtJx4im3LnMCO/2laS1T5Hm5PMhaEmc3lNCQKXO/2jSsaJ21j/2H 4DpYYe+/uXlhrEvLhn3AahfCIriOf/c1bsXJ88Nirq9aN9K+n2sCUwr+TI3815JW xhUoNpchAQkKFCW66h1v7rbrSQ0fFw0eITxOfnHoi9Wn+J7kkxuDs6DytUbXKzzX Bxg7o1O1HEcyahOc+oIakyaOHo5xyXGJ55jm/6+LHhOleP8JvYNq669DobY6DqH0 0eTEnFTVfWmGF2CK3FnZKhstAtlybM2J3vGtBPEMGD6EGpRDpAc= =bu6J -----END PGP SIGNATURE-----