CVE-2022-37857

Vulnerability

Hauk version 1.6.1 requires a hardcoded password that defaults to blank. This password is stored in clear-text on the Android client device and as a hash in the server-side config.php file [1]. The password is used to authenticate clients to the self-hosted location sharing service. The default blank password and its storage in plaintext on the client constitute a weak password policy and hardcoded credential vulnerability [2].

Exploitation

An attacker with physical or remote access to an Android device running the Hauk client can read the clear-text password from the application's storage. Alternatively, if the attacker gains read access to the server's config.php file, they can obtain the password hash, which is unsalted and can be cracked with tools like hashcat [1]. No prior authentication is required if the default blank password is still in use. The attacker can then use the obtained credentials to connect to the Hauk server.

Impact

Successful exploitation allows an attacker to authenticate to the Hauk server, potentially gaining access to real-time location data of all users sharing their location through the service. This leads to unauthorized information disclosure and a breach of user privacy [1]. The attacker may also be able to impersonate legitimate users or disrupt the service.

Mitigation

As of the available references, no official patch has been released for this issue. The developer has acknowledged the report but left the password policy to the administrator's discretion [2]. Users should immediately change the default password in config.php to a strong, unique passphrase and ensure the Android client is updated to the latest version. Additionally, administrators should enforce a strong password policy and consider using a different location sharing solution if no fix is provided. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.