Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Vendor: Rapid7, Inc.
Vendor URL: http://rapid7.com
Versions affected: 6.4.9 2016-11-30 and potentially all prior releases.
Systems Affected: Nexpose Vulnerability Scanner
Author: Noah Beddome, Justin Lemay, and Ben Lincoln
Advisory URL / CVE Identifier: 2017-5230
Risk: Medium - Requires specific access criteria
Summary
The Nexpose vulnerability scanner by Rapid7 is widely used to identify network and application vulnerabilities in support of corporate security programs. The security console component supports the storing of credentials for authenticated vulnerability checking and enumeration of scanning targets.
Nexpose protects the stored credentials with a certificate stored in a Java Key Store. The passphrase for the keystore is hardcoded within the application source in all deployments of Rapid7 Nexpose. With Global administrator access to the web console or access to a back-up file an attacker can recover the encryption certificate and decrypt the scan credentials.
Location
All instances of Nexpose Vulnerability Scanner
Impact
With access to the web console as a global administrator or access to a backup file it is possible to decrypt stored scan credentials and use those credentials to conduct further attacks. This is made especially impactful in the case of weak Administrator passwords, or the use of the default admin user and password of nxadmin/nxpassword in Nexpose virtual appliances.
Technical Details
Nexpose protects user credentials with a certificate stored in a Java keystore:
- nsc.ks
When credentials are entered into the console, the application generates a new encryption key and encrypts the credentials.
Next, the generated key is padded and encrypted with the cert stored in nsc.ks, which is retrieved with the keystore password r@p1d7k3y$t0r3.
During decryption, the appliance deconstructs the encrypted credential object and uses the key in nsc.ks to decrypt the per-credential-set key generated during storage. The decrypted key is then used to recover the credentials for scanning.
As the keystore password is shared, it is possible to decrypt any set of credentials encrypted via the “STANDARD” encryption mode.
Given access to: – A set of encrypted credentials. – An nsc.ks keystore containing the associated cert for the credential. – An install of Nexpose Community Edition.
Recommendation
There is currently not a remediation for this issue. See below for additional direction from Rapid7 in the Vendor Communication section. Short term mitigating controls enforce additional access and monitoring around Nexpose instances and backups.
Vendor Communication
December 12, 2016: Disclosure sent to Rapid7.
Rapid7 thanks the researchers at NCC Group for bringing this issue to our attention. While Rapid7 works on reengineering how saved scan credentials are encrypted at rest, Nexpose customers can significantly reduce the risk of this issue by using strong authentication for Nexpose consoles, as well as ensuring that backups of Nexpose consoles are stored in a safe and secure manner.
To learn more, read Rapid 7’s advisory: https://community.rapid7.com/community/infosec/blog/2017/03/01/multiple-vulnerabilities-affecting-four-rapid7-products
Thanks to
Research Team – Noah Beddome, Justin Lemay, Ben Lincoln, and Clint Gibler
About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cyber security.