nyxfqq/gist:92232108ac153e95d538bb17fc5ad636

## gistfile1.txt
 [Suggested description]
 The encrypt function of netbird v0.28.4 was discovered to use a static
 initialization vector (IV), possibly compromising the security of
 sensitive data.
 in the Encrypt function located in the crypt.go file (part of the
 github.com/netbirdio/netbird/management/server/activity/sqlite package)
 utilizes a static initialization vector (IV). This practice is known to
 compromise the security of the encrypted data, as using a predictable
 IV can lead to pattern leaks and potentially allow attackers to infer
 information about the plaintext.
 code: var iv = []byte{10, 22, 13, 79, 05, 8, 52, 91, 87, 98, 88, 98,
 35, 25, 13, 05} func (ec *FieldEncrypt) Encrypt(payload string) string
 { plainText := pkcs5Padding([]byte(payload)) cipherText := make([]byte,
 len(plainText)) cbc := cipher.NewCBCEncrypter(ec.block, iv)
 cbc.CryptBlocks(cipherText, plainText) return
 base64.StdEncoding.EncodeToString(cipherText) }

 ------------------------------------------

 [VulnerabilityType Other]
 CWE-330

 ------------------------------------------

 [Vendor of Product]
 https://github.com/netbirdio/netbird/

 ------------------------------------------

 [Affected Product Code Base]
 netbird - <=0.28.4

 ------------------------------------------

 [Affected Component]
 sqlite service, package github.com/netbirdio/netbird/management/server/activity/sqlite

 ------------------------------------------

 [Attack Type]
 Remote

 ------------------------------------------

 [Impact Information Disclosure]
 true

 ------------------------------------------

 [Attack Vectors]
 Save an event in the SQLite events table end encrypt the "email" element in meta map

 ------------------------------------------

 [Discoverer]
 Yuexi Zhang

 ------------------------------------------

 [Reference]
 http://netbird.com
 https://github.com/netbirdio/netbird/
https://github.com/netbirdio/netbird/issues/2246
	[Suggested description]
	The encrypt function of netbird v0.28.4 was discovered to use a static
	initialization vector (IV), possibly compromising the security of
	sensitive data.
	in the Encrypt function located in the crypt.go file (part of the
	github.com/netbirdio/netbird/management/server/activity/sqlite package)
	utilizes a static initialization vector (IV). This practice is known to
	compromise the security of the encrypted data, as using a predictable
	IV can lead to pattern leaks and potentially allow attackers to infer
	information about the plaintext.
	code: var iv = []byte{10, 22, 13, 79, 05, 8, 52, 91, 87, 98, 88, 98,
	35, 25, 13, 05} func (ec *FieldEncrypt) Encrypt(payload string) string
	{ plainText := pkcs5Padding([]byte(payload)) cipherText := make([]byte,
	len(plainText)) cbc := cipher.NewCBCEncrypter(ec.block, iv)
	cbc.CryptBlocks(cipherText, plainText) return
	base64.StdEncoding.EncodeToString(cipherText) }

	------------------------------------------

	[VulnerabilityType Other]
	CWE-330

	------------------------------------------

	[Vendor of Product]
	https://github.com/netbirdio/netbird/

	------------------------------------------

	[Affected Product Code Base]
	netbird - <=0.28.4

	------------------------------------------

	[Affected Component]
	sqlite service, package github.com/netbirdio/netbird/management/server/activity/sqlite

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Information Disclosure]
	true

	------------------------------------------

	[Attack Vectors]
	Save an event in the SQLite events table end encrypt the "email" element in meta map

	------------------------------------------

	[Discoverer]
	Yuexi Zhang

	------------------------------------------

	[Reference]
	http://netbird.com
	https://github.com/netbirdio/netbird/
	https://github.com/netbirdio/netbird/issues/2246
No results found