CVE-2022-25806: 
IGEL Universal Management Suite vulnerability analysis and mitigation

A hardcoded DES key vulnerability was discovered in the IGEL Universal Management Suite (UMS) 6.07.100, specifically in the PrefDBCredentials class. This vulnerability was disclosed on June 9, 2022. The issue allows an attacker with access to an encrypted dbpassword value to decrypt the password and gain superuser/database access to IGEL UMS and its database (Atredis Advisory, NIST NVD).

The vulnerability exists in the PrefDBCredentials class within RMGUI.jar. The class instantiates a static byte array with 8 bytes and uses that array as the cryptographic key for the encryption and decryption of the dbpassword value. The hardcoded DES key consists of the following bytes: { 5, -88, -123, -1, -10, 52, -28, 70 }. This implementation allows for the decryption of stored credentials, potentially exposing sensitive database access information (Atredis Advisory).

The vulnerability allows an attacker with access to encrypted dbpassword values to decrypt the passwords and gain superuser/database access to IGEL UMS and its database. This could potentially lead to unauthorized access to sensitive system configurations and data (Atredis Advisory).

The vendor recommends keeping the UMS database and its backups under strict access control as a mitigation measure since there are no patches available to address this vulnerability directly (Atredis Advisory).