Full Report
The Mendix Encryption module versions V10.0.0 and V10.0.1 define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised. Siemens has released a new version for Mendix Encryption and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Hard-coded Default Encryption Key in Mendix Encryption Module
## CVE Details
- CVE ID: CVE-2024-39888
- CVSS Score: 7.5 (High) (CVSS v3.1) / 8.7 (Critical) (CVSS v4.0)
- CWE: CWE-547: Use of Hard-coded, Security-relevant Constants
## Affected Systems
- Products: Mendix Encryption module
- Versions: V10.0.0 and V10.0.1 (All versions $\ge$ V10.0.0 and $<$ V10.0.2)
- Configurations: Projects utilizing the default `EncryptionKey` constant because no individual key was specified.
## Vulnerability Description
The Mendix Encryption module versions V10.0.0 and V10.0.1 inappropriately define a hard-coded default value for the `EncryptionKey` constant. If a project does not specify a custom encryption key, this hard-coded key is used for encryption processes (e.g., Plain text, FileDocument encryption). Because this key is hard-coded and publicly known/discoverable, it is considered compromised, allowing an attacker to decrypt any data encrypted using this default key.
## Exploitation
- Status: PoC available (Implied by standardized vulnerability reporting; risk is high due to known key)
- Complexity: Low (CVSS v3.1: AC:L, Attack Vector: N)
- Attack Vector: Network
## Impact
- Confidentiality: High (Attacker can decrypt all data secured with the default key)
- Integrity: No impact documented
- Availability: No impact documented
## Remediation
### Patches
- Update the Mendix Encryption module to **V10.0.2 or later**.
- Link for update: https://marketplace.mendix.com/link/component/1011
### Workarounds
- No specific product-level workarounds were detailed, outside of updating the module. Siemens recommends following general security guidelines:
- Configure network access to devices using appropriate protection mechanisms.
- Configure the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Detection involves auditing the deployed Mendix Encryption module version to confirm it is below patched versions.
- Searching deployment configurations for the use of the default, hard-coded `EncryptionKey` constant instead of a custom, dynamically managed key.
## References
- Siemens Advisory: SSA-998949
- Siemens Product Security Portal: https://www.siemens.com/cert/advisories