Publicly Known Cryptographic Machine Key In Procura Portal Application

Vulnerability

Procura Portal by AlayaCare before version 9.0.1.2 uses a publicly known cryptographic machine key [1]. This key is intended to be secret but is disclosed in the application, allowing any unauthenticated attacker to forge and encrypt their own authentication cookies [1]. The vulnerability affects all versions prior to 9.0.1.2 [1].

Exploitation

An unauthenticated attacker with network access to the Procura Portal can exploit this vulnerability. No authentication or user interaction is required. The attacker can craft a malicious authentication cookie using the known cryptographic key, then present that cookie to the application to impersonate any user [1]. The public availability of the key eliminates the need for decryption or brute-force attacks.

Impact

Successful exploitation allows the attacker to completely bypass the application's authentication mechanisms, gaining unauthorized access to the Procura Portal [1]. The attacker can then view, modify, or delete any data accessible through the application, potentially compromising sensitive patient or healthcare information, depending on the data stored in the portal [1].

Mitigation

The vulnerability is fixed in Procura Portal version 9.0.1.2 [1]. Users must upgrade to this version or later to remediate the issue. There is no known workaround; applying the patched version is the only mitigation confirmed in the references [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.