CVE-2020-27688 — HIGH (7.5)

Vulnerability Description

RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Robware	Rvtools	4.0.6

Related Weaknesses (CWE)

CWE-522

References

https://github.com/matthiasmaes/CVE-2020-27688Third Party Advisory
https://www.robware.net/rvtools/ProductVendor Advisory
https://github.com/matthiasmaes/CVE-2020-27688Third Party Advisory
https://www.robware.net/rvtools/ProductVendor Advisory

FAQ

What is CVE-2020-27688?

CVE-2020-27688 is a vulnerability with a CVSS score of 7.5 (HIGH). RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method fr...

How severe is CVE-2020-27688?

CVE-2020-27688 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-27688?

Check the references section above for vendor advisories and patch information. Affected products include: Robware Rvtools.