ID Product Version Vulnerability
SUID-2019-00004 Scytl Secure Vote (sVote) 2.1 Hardcoded PKCS12 Passwords
*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.

Description

The mixnet-spring component uses hardcoded passwords for certificates: evoting-solution/source-code/online-voting-mixing/mixnet- spring/src/main/java/com/scytl/products/ov/mixnet/spring/MixingSecureLoggerConfig.java
private static final String CIPHER_PKCS12_PSWD = "649VRY52GXXCNJH48X5F";

private static final String SIGNATURE_PKCS12_PSWD = "GXXCNJH48X5F649VRY52";
These hardcoded values will be later used in the same file:
secureAppender.setCipherPkcs12FileName(CIPHER_PKCS12_CERTIFICATE);
            secureAppender.setCipherPkcs12Password(CIPHER_PKCS12_PSWD);
            secureAppender.setSignaturePkcs12FileName(SIGNATURE_PKCS12_CERTIFICATE);
            secureAppender.setSignaturePkcs12Password(SIGNATURE_PKCS12_PSWD);
Since the mixnet-spring library isn't intended for the "high-trust" environments they might not be directly attackable.
Further iterations however might reuse code or implement unsafe coding practices which render the vulnerability exploitable.


Timeline

Date Event
February 07 2020 Submitted issue to vendor
February 13 2020 Vendor acknowledged the issue

Credits

Name Team
Anthony Schneiter SUID
Jannis Kirschner SUID