Miggo Logo

CVE-2022-23650: Use of Hard-coded Cryptographic Key in Netmaker

7.2

CVSS Score
3.1

Basic Information

EPSS Score
0.67381%
Published
2/22/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/gravitl/netmakergo< 0.8.50.8.5
github.com/gravitl/netmakergo>= 0.9.0, < 0.9.40.9.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the global variable jwtSecretKey in logic/jwts.go being initialized with a static value (BytesOverTheWire). Both CreateJWT and CreateUserJWT functions used this hard-coded key to sign JWTs. The patch replaced the hard-coded value with a dynamically generated secret (via SetJWTSecret), confirming these functions were vulnerable due to their dependency on the static key. The functions' direct use of jwtSecretKey for cryptographic operations aligns with CWE-321 and CWE-798.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T**r* is * **r*-*o*** *rypto*r*p*i* k*y in t** *o** **s* w*i** **n ** *xploit** to run **min *omm*n*s on * r*mot* s*rv*r, i* you know t** ***r*ss *n* us*rn*m* o* t** **min. T*is *****ts t** s*rv*r (n*tm*k*r) *ompon*nt, *n* not *li*nts. ##

Reasoning

T** vuln*r**ility st*ms *rom t** *lo**l v*ri**l* `jwtS**r*tK*y` in `lo*i*/jwts.*o` **in* initi*liz** wit* * st*ti* v*lu* `(*yt*sOv*rT**Wir*)`. *ot* `*r**t*JWT` *n* `*r**t*Us*rJWT` *un*tions us** t*is **r*-*o*** k*y to si*n JWTs. T** p*t** r*pl**** t*