Name of the Vulnerable Software and Affected Versions MagicCrypt (affected versions not specified)

Description The issue concerns the use of insecure cryptographic algorithms and practices that compromise the integrity of encrypted data. Specifically, MagicCrypt64 uses the insecure DES block cipher in CBC mode without authentication, allowing for brute force and padding oracle attacks. The MagicCrypt64, MagicCrypt128, MagicCrypt192, and MagicCrypt256 implementations are all vulnerable to padding-oracle attacks and do not protect the integrity of the ciphertext. Additionally, these implementations use uninitialized memory without proper structures, making them unsound. The key and IV are generated from user input using CRC64, which is not a suitable key derivation function. None of the implementations use password-based key derivation functions, despite the key being intended to be generated from a password.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.