CVE-2021-45458 in Kylin
Summary
by MITRE • 01/06/2022
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/09/2022
The vulnerability described in CVE-2021-45458 resides within Apache Kylin's PasswordPlaceholderConfigurer encryption implementation, which represents a critical weakness in the software's credential management system. This encryption class, designed to help users encrypt passwords for configuration files, contains a fundamental flaw where the cipher initialization uses hardcoded key and initialization vector values. The flaw directly violates security best practices by employing static cryptographic parameters that remain unchanged across deployments, creating a predictable and exploitable encryption mechanism. The vulnerability manifests when users configure encrypted passwords through this class and store them in Kylin's configuration files, establishing a scenario where sensitive authentication data becomes potentially reversible through cryptographic analysis.
The technical implementation of this flaw stems from the use of hardcoded cryptographic parameters within the encryption algorithm, which aligns with CWE-327 - Use of a Broken or Risky Cryptographic Algorithm. The specific weakness lies in the cipher's initialization process where both the encryption key and initialization vector are predetermined and embedded within the application code rather than being dynamically generated or user-provided. This design choice eliminates the essential cryptographic principle of unique key generation for each encryption operation, rendering the entire encryption scheme vulnerable to reverse engineering and decryption attacks. The hardcoded nature of these parameters means that any attacker who can access the configuration files containing the encrypted passwords can potentially reconstruct the original plaintext credentials.
The operational impact of this vulnerability extends across multiple Apache Kylin versions, affecting all releases prior to the mentioned patches including versions 2.6.6 and earlier, 3.1.2 and earlier, and 4.0.0 and earlier. This widespread exposure across different major versions indicates a systemic security flaw in the software's credential handling architecture. When users implement the PasswordPlaceholderConfigurer for password encryption and store the resulting encrypted values in configuration files, they inadvertently create a backdoor for attackers who can reverse-engineer the encryption process to obtain plaintext credentials. The vulnerability creates a persistent risk where compromised configuration files immediately translate to credential compromise, potentially leading to unauthorized access to databases, systems, and other resources protected by the encrypted passwords.
The security implications of this vulnerability can be analyzed through the ATT&CK framework, particularly under the T1552 - Unsecured Credentials technique and T1078 - Valid Accounts category. Attackers can leverage this weakness to escalate privileges and maintain persistent access to systems by obtaining plaintext passwords from configuration files. The vulnerability also relates to T1528 - Steal Application Access Token, as compromised credentials can be used to access application resources and data. Organizations using affected Apache Kylin versions face significant risk of credential exposure, potentially leading to data breaches, unauthorized database access, and privilege escalation attacks. The impact is particularly severe because the encryption mechanism was designed to provide security but instead creates a false sense of security while exposing sensitive information.
Mitigation strategies for this vulnerability require immediate action to address the hardcoded cryptographic parameters within the PasswordPlaceholderConfigurer class. Organizations should upgrade to patched versions of Apache Kylin that resolve this cryptographic weakness by implementing proper key generation and management practices. The recommended approach involves replacing the hardcoded key and IV with dynamically generated values that are unique for each encryption operation and properly managed through secure key distribution mechanisms. Additionally, security teams should conduct comprehensive audits of all configuration files containing encrypted passwords to identify and replace any affected encrypted credentials. The remediation process should include implementing proper access controls for configuration files, regular security assessments, and establishing secure credential management practices that avoid the use of static cryptographic parameters in production environments.