How severe is CVE-2023-43637?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.8 out of 10.

What type of vulnerability is CVE-2023-43637?

This is classified as CWE-321, which is a common weakness in software security.

CVE-2023-43637 - HIGH Severity | CVSS 7.8

Vulnerability Description

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.

Related Vulnerabilities

CVE-2020-25173

HIGH

CVSS:7.8(High)

An attacker with local network access can obtain a fixed cryptography key which may allow for further compromise of Reolink P2P cameras outside of local network access

CWE-3212020

CVE-2022-34462

HIGH

CVSS:7.8(High)

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this v...

CWE-3212022

CVE-2022-36925

HIGH

CVSS:7.8(High)

Zoom Rooms for macOS clients before version 5.11.4 contain an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was gen...

CWE-3212022

CVE-2017-5242

HIGH

CVSS:7.7(High)

Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virt...

CWE-3212017

CVE-2020-25234

HIGH

CVSS:7.7(High)

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3), LOGO! Soft Comfort (All versions < V8.3). The LOGO! program files generated and used by the affected co...

CWE-3212020

CVE-2024-31410

HIGH

CVSS:7.7(High)

The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send maliciou...

CWE-3212024