CVE-2017-5230 in Nexpose
Summary
by MITRE
The Java keystore in all versions and editions of Rapid7 Nexpose is encrypted with a static password of 'r@p1d7k3y5t0r3' which is not modifiable by the user. The keystore provides storage for saved scan credentials in an otherwise secure location on disk.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/03/2020
The vulnerability identified as CVE-2017-5230 represents a critical security flaw in Rapid7 Nexpose software where the Java keystore implementation uses a hardcoded static password 'r@p1d7k3y5t0r3' for encryption purposes. This weakness exists across all versions and editions of the software, making it a widespread issue affecting the entire product line. The keystore serves as a secure storage mechanism for saved scan credentials, yet the hardcoded encryption password fundamentally undermines the security model by providing a predictable and well-known key that attackers can easily exploit.
This vulnerability directly relates to CWE-259, which addresses the use of hard-coded passwords, and represents a significant failure in secure configuration management practices. The static password approach violates fundamental security principles by creating a single point of failure where any attacker who discovers this password gains access to all stored credentials within the keystore. The flaw is particularly concerning because the keystore is designed to provide secure storage for sensitive information, yet the encryption mechanism itself becomes the weakest link in the security chain.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables attackers to gain unauthorized access to saved scan credentials that may include administrative passwords, service accounts, and other sensitive authentication information used by the Nexpose scanning infrastructure. This compromise can lead to lateral movement within networks, privilege escalation attacks, and the ability to conduct unauthorized scanning activities using legitimate credentials. The vulnerability affects both the availability and confidentiality aspects of the system, as attackers can not only access stored information but also potentially disrupt scanning operations or manipulate scan results.
Security professionals should consider this vulnerability in the context of ATT&CK framework's credential access and persistence tactics, where adversaries often target stored credentials to maintain access to systems. The static password creates an easy path for attackers to achieve initial access and establish persistence within environments monitored by Nexpose. Organizations using affected versions should immediately implement mitigations including manual password changes where possible, network segmentation to limit access to the affected systems, and thorough monitoring for unauthorized access attempts. Additionally, the vulnerability highlights the importance of following security best practices such as implementing proper key management, using unique encryption keys per installation, and avoiding hardcoded credentials in security applications. The incident serves as a reminder that even security tools can contain fundamental flaws that undermine their effectiveness and require immediate attention to prevent exploitation by malicious actors.