CVE-2019-14482

Vulnerability

AdRem NetCrunch version 10.6.0.4587 includes a hardcoded SSL private key in its web client. When no other SSL certificate is specified during installation (i.e., when "Use OpenSSL" is chosen and "Let me specify secure OpenSSL key and certificate files" is not selected), the software uses a static, pre-generated key that is identical across all deployments. AdRem NetCrunch 11.0.0.5282 is not vulnerable; older versions remain untested but are believed to be affected [1].

Exploitation

An attacker with network access to a NetCrunch web client can first obtain the hardcoded private key from any publicly available installation or source. Armed with this key, the attacker can decrypt SSL/TLS traffic between the client and the server, or perform man-in-the-middle attacks. No authentication is required to leverage the key against other installations using the same default certificate [1].

Impact

Successful exploitation allows the attacker to defeat cryptographic protections, leading to disclosure of sensitive information transmitted over HTTPS. This can include session tokens, credentials, and monitoring data. The attacker gains the ability to read and potentially modify traffic, compromising the confidentiality and integrity of communications for the affected NetCrunch web client [1].

Mitigation

AdRem released NetCrunch version 11.0.0.5282 which is not vulnerable to this issue [1]. Users should upgrade to this version or later. Administrators can also mitigate the risk by providing their own custom SSL certificate and key during installation, bypassing the use of the hardcoded default key. No workaround is available for versions that continue to use the default certificate.