CVE-2023-46919

Vulnerability

Simple HTTP Server (version 1.8) and Simple HTTP Server PLUS (version 1.8.1-plus) both hardcode an AES encryption key (aKySWb2jjrr4dzkYXczKRt7K) in their source code. The key is used to create a SecretKeySpec for AES encryption, which is employed to protect TLS-related secrets. Affected packages are com.phlox.simpleserver and com.phlox.simpleserver.plus [1].

Exploitation

An attacker with physical access to a device running either app can extract the application's source code or binary. From there, the hardcoded AES key is trivially recoverable by inspecting the code (e.g., via decompilation). Additionally, an attacker could perform a device backup, which may contain encrypted data that can now be decrypted using the extracted key [1].

Impact

Successful exploitation allows the attacker to decrypt TLS secrets, enabling decryption of network traffic. This compromises the confidentiality of data transmitted by the server. The attacker could also decrypt any other data encrypted with the same hardcoded key, potentially exposing stored sensitive information. The physical access requirement limits remote exploitation, but once obtained, the attacker can achieve a full breach of confidentiality for communications mediated by the application [1].

Mitigation

No fix or updated version has been released by the vendor as of the publication date (2023-12-27). The affected versions remain unpatched. Users should consider replacing the application with a secure alternative that does not use hardcoded cryptographic keys. If the app must be used, avoid storing or transmitting sensitive data through it until a fix is provided [1].