PT-2016-5134 · Fonality · Chrome Hudweb Plugin

Charlie Wolf

Published

2016-06-20

Updated

2016-06-21

CVE-2016-2364

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Chrome HUDweb plugin for Fonality versions 12.6 through 14.1i

Description The issue allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a hardcoded private key from another installation. This is possible because the Chrome HUDweb plugin uses the same hardcoded private key across different customers' installations.

Recommendations For Chrome HUDweb plugin for Fonality versions 12.6 through 14.1i, consider updating to a version released after 2016-05-05 to replace the hardcoded private key with a unique key for each installation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CVE-2016-2364

Affected Products

Chrome Hudweb Plugin

PT-2016-5134 · Fonality · Chrome Hudweb Plugin

CVE-2016-2364

Weakness Enumeration

Related Identifiers

Affected Products

References · 3