ID Product Version Vulnerability
SUID-2019-00004* Scytl Secure Vote (sVote) 2.1 Hardcoded PKCS12 Passwords

Description

The mixnet-spring component uses hardcoded passwords for certificates: evoting-solution/source-code/online-voting-mixing/mixnet- spring/src/main/java/com/scytl/products/ov/mixnet/spring/MixingSecureLoggerConfig.java
private static final String CIPHER_PKCS12_PSWD = "649VRY52GXXCNJH48X5F"; private static final String SIGNATURE_PKCS12_PSWD = "GXXCNJH48X5F649VRY52"; These hardcoded values will be later used in the same file:
secureAppender.setCipherPkcs12FileName(CIPHER_PKCS12_CERTIFICATE); secureAppender.setCipherPkcs12Password(CIPHER_PKCS12_PSWD); secureAppender.setSignaturePkcs12FileName(SIGNATURE_PKCS12_CERTIFICATE); secureAppender.setSignaturePkcs12Password(SIGNATURE_PKCS12_PSWD); Since the mixnet-spring library isn't intended for the "high-trust" environments they might not be directly attackable.
Further iterations however might reuse code or implement unsafe coding practices which render the vulnerability exploitable.

Disclosure Timeline

Credit

Jannis Kirschner & Anthony Schneiter from Team SUID


*SUID-ID's are referencing security issues and bad practices that are not neccessarly exploitable but still might cause issues in certain scenarios.