LMG Security Researcher Identifies New Software Private Key Vulnerability Within a Fortune 500 Company's Software

News provided by

Aug 10, 2023, 09:35 ET

MISSOULA, Mont., Aug. 10, 2023 /PRNewswire/ -- LMG Security, an internationally recognized cybersecurity consulting firm, has discovered a new vulnerability involving a Fortune 500 company's software static encryption key. For the full details on the company and software impacted, please visit: https://LMGsecurity.com/software-vulnerability. Any adversary with access to this specific software can use this key to decrypt the administrative credentials for VMware's vCenter and leverage this access into a complete takeover. This type of vulnerability can easily be used in a zero-day attack. Discovered by Tom Pohl, LMG Security's penetration testing team manager, this information is being released at Pohl's DEFCON session, "Private Keys in Public Places."

"Attackers are looking for private keys," said Tom Pohl, penetration testing team manager at LMG Security. "While we were doing a penetration test, I discovered a static AES encryption key within the company's Compellent Integration Tools for VMware (CITV). Once I retrieved the AES key, I was able to use it to decrypt the vCenter administrative credentials and gained complete access over their VMware environment."

"This key is the same for EVERY customer!" Pohl continued. "If a criminal leverages this vulnerability, they could use it against any of this company's customers. Firmware and software binaries are littered with private keys that are hidden but not necessarily secured. We need to raise awareness of the risks stemming from this attack vector." This discovery was reported to the company with the standard 90-day window to fix the issue before this announcement.

Pohl says that if criminals find old, private keys for many firmware devices they can use them to breach the systems of a wide array of organizations. From there, they can expand their access and privileges to take control of the victims' networks. Software vendors should take steps to secure these private keys, and organizations should always be vigilant about checking the security controls used by their current and prospective suppliers. Pohl also recommends organizations conduct penetration testing at least annually, so expert white hat hackers can identify your security gaps before an attacker breaches your environment. Please visit LMGsecurity.com for more information on LMG Security's penetration testing or advisory services.

ABOUT LMG Security

LMG Security is an internationally recognized leader in the cybersecurity consulting industry. This full-service cybersecurity firm provides one-stop shopping for a wide array of cybersecurity services. Specializing in penetration testing, advisory and compliance services, cybersecurity solutions, and training for more than a decade, the LMG Security team's services were featured on the Today show. In addition, the team has published cutting-edge research on cell phone intrusion detection and banking Trojans, written books on ransomware and cyber extortion, network forensics, and data breaches, and routinely speak or train at Black Hat, RSA and many other security conferences. LMG Security is privately held and headquartered in Missoula, Montana. For more information visit LMGsecurity.com.

Contact:

Leslie Bishop
[email protected]
+1-406-830-3165

SOURCE LMG Security