CVE-2024-45165

MEDIUM

UCI IDOL 2 < 2.12 - Use of Hard-coded Credentials for Message Encryption

Title source: llm

Description

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However, the key is derived from the string "(c)2007 UCI Software GmbH B.Boll" (without quotes). The key is both static and hardcoded. With access to messages, this results in message decryption and encryption by an attacker. Thus, it enables passive and active man-in-the-middle attacks.

References (5)

Core 5

Core References

Broken Link

http://download.uci.de/idol2/idol2Client_2_12.exe

Product, Release Notes

https://uci.de/download/idol2-client.html

Product

https://uci.de/products/index.html

Issue Tracking

https://www.syss.de/en/responsible-disclosure-policy

Third Party Advisory

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-048.txt

Scores

CVSS v3 5.3

EPSS 0.0017

EPSS Percentile 7.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-798

Status published

Products (1)

uci/idol2 < 2.12

Published Aug 22, 2024

Tracked Since Feb 18, 2026