Early Access — Mondoo Vulnerability Intelligence is currently in preview.
The product uses a hard-coded, unchangeable cryptographic key.
Prevention schemes mirror that of hard-coded password storage.
If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2022-29960Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
CVE-2022-30271Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default.
CVE-2020-10884WiFi router service has a hard-coded encryption key, allowing root access
CVE-2014-2198Communications / collaboration product has a hardcoded SSH private key, allowing access to root account