{"vuid":"VU#301788","idnumber":"301788","name":"Toshiba CHEC contains a hard-coded cryptographic key","keywords":["toshiba","chec","cwe-321","hard-coded cryptographic key"],"overview":"Toshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key.","clean_desc":"CWE-321: Use of Hard-coded Cryptographic Key - CVE-2014-4875\nToshiba CHEC, versions 6.6, 6.7, and possibly earlier, contain a hard-coded cryptographic key in the CreateBossCredentials.jar file. An attacker that can access the bossinfo.pro file may be able to use the hard-coded AES key to decrypt its contents, including the BOSS database credentials.","impact":"A remote, authenticated attacker may be able to acquire privileged credentials to the BOSS database.","resolution":"Apply an update Toshiba has addressed this issue by removing CreateBossCredentials.jar in versions 6.6 build level 4014 and 6.7 build level 4329. Users are advised to upgrade to latest version available and to ensure that the CreateBossCredentials.jar file has been removed.","workarounds":"","sysaffected":"","thanks":"Thanks to \nDavid Odell\n for reporting this vulnerability.","author":"This document was written by Todd Lewellen and Joel Land.","public":["h","t","t","p",":","/","/","c","w","e",".","m","i","t","r","e",".","o","r","g","/","d","a","t","a","/","d","e","f","i","n","i","t","i","o","n","s","/","3","2","1",".","h","t","m","l"],"cveids":["CVE-2014-4875"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-07-16T13:44:20Z","publicdate":"2015-06-08T00:00:00Z","datefirstpublished":"2015-06-08T13:54:03Z","dateupdated":"2015-06-08T13:54:03Z","revision":22,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"UR","cvss_collateraldamagepotential":"LM","cvss_targetdistribution":"M","cvss_securityrequirementscr":"M","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"5","cvss_basevector":"AV:N/AC:L/Au:N/C:P/I:N/A:N","cvss_temporalscore":"4.3","cvss_environmentalscore":"4.47572474649","cvss_environmentalvector":"CDP:LM/TD:M/CR:M/IR:ND/AR:ND","metric":0.0,"vulnote":null}