CVE-2022-41397 in 300
Summary
by MITRE • 04/28/2023
The optional Web Screens and Global Search features for Sage 300 through version 2022 use a hard-coded 40-byte blowfish key ("LandlordPassKey") to encrypt and decrypt secrets stored in configuration files and in database tables.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/31/2025
The vulnerability identified as CVE-2022-41397 resides within Sage 300 versions up to and including 2022, specifically affecting the optional Web Screens and Global Search functionalities. This security flaw represents a critical weakness in the software's cryptographic implementation, where developers embedded a static 40-byte Blowfish encryption key directly into the application code. The key, named "LandlordPassKey", serves as the sole encryption mechanism for sensitive data stored within both configuration files and database tables, creating a fundamental security risk that undermines the confidentiality of stored credentials and sensitive information.
The technical implementation of this vulnerability stems from a clear violation of cryptographic best practices and security principles. The use of a hard-coded encryption key represents a classic case of weak cryptographic key management, where the same key is distributed with the application and used across all installations. This approach directly contravenes industry standards such as those outlined in CWE-327, which specifically addresses the use of weak cryptography, and CWE-321, which focuses on the use of hard-coded cryptographic keys. The Blowfish algorithm itself, while once considered secure, becomes fundamentally compromised when the key is predictable and static, as attackers can simply extract this key from the application binary or documentation to decrypt all stored sensitive information.
The operational impact of this vulnerability extends far beyond the immediate scope of the Web Screens and Global Search features. Attackers who gain access to the application environment can easily extract the hard-coded key and subsequently decrypt all secrets stored in the configuration files and database tables. This compromises not only user credentials but potentially includes API keys, database connection strings, and other sensitive configuration parameters that may be stored using this encryption mechanism. The vulnerability creates a persistent security risk that remains active regardless of user actions or system updates, as the key cannot be changed or rotated. This scenario aligns with ATT&CK technique T1552.001, which covers "Unsecured Credentials" and represents a significant vector for lateral movement and privilege escalation within affected environments.
Organizations running affected versions of Sage 300 face substantial risk exposure from this vulnerability, particularly in environments where the application handles sensitive business data or integrates with other systems requiring secure credential storage. The static nature of the encryption key means that any compromise of the application installation, whether through network infiltration, insider threats, or physical access, immediately grants attackers full access to all encrypted data. Security professionals should consider this vulnerability as a high-priority remediation item, as it fundamentally undermines the security posture of any organization relying on these features. The vulnerability also demonstrates poor security design principles that may indicate additional weaknesses in the application's overall security architecture, warranting comprehensive security assessments of the entire Sage 300 platform. Mitigation efforts must include immediate application updates from Sage, if available, or implementation of compensating controls such as network segmentation, access controls, and monitoring for unauthorized access to the affected application components.