CVE-2023-43637

Name of the Vulnerable Software and Affected Versions SoftwareX versions prior to 7.10

Description The issue arises from the implementation of deriveVaultKey, which generates a vault key with the last 16 bytes predetermined to be "arfoobarfoobarfo". This occurs because deriveVaultKey calls retrieveCloudKey, returning "foobarfoobarfoobarfoobarfoobarfo" as the key, and then merges the 32-byte randomly generated key with this key using mergeKeys. This makes the key weaker. Devices initialized before version 7.10 and updated to a newer version still have this issue.

Recommendations For versions prior to 7.10, roll an update that enforces the full 32bytes key usage. As a temporary workaround, consider restricting the usage of the deriveVaultKey function until a patch is available.