CVE-2020-27688

Name of the Vulnerable Software and Affected Versions RVTools version 4.0.6

Description The issue concerns the encryption of passwords in RVTools. Specifically, the RVToolsPasswordEncryption.exe utility in RVTools 4.0.6 uses a static initialization vector (IV) and key for encryption. This static encryption can be decrypted using the Decrypt() method from the VISKD.cs file within the RVTools.exe executable. As a result, encrypted passwords used in configuration files can be decrypted, potentially exposing accounts with access to vSphere instances.

Recommendations For RVTools version 4.0.6, consider restricting access to the configuration files and the VISKD.cs file to minimize the risk of exploitation. As a temporary workaround, avoid using the RVToolsPasswordEncryption.exe utility until a secure encryption method is implemented.