CVE-2024-45165 Information

Description

An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is sent between client and server with encryption. However the key is derived from the string (c)2007 UCI Software GmbH B.Boll\ (without quotes). The key is both static and hardcoded. With access to messages this results in message decryption and encryption by an attacker. Thus it enables passive and active man-in-the-middle attacks.

Reference

https://www.syss.de/en/responsible-disclosure-policy https://uci.de/products/index.html https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-048.txt https://uci.de/download/idol2-client.html http://download.uci.de/idol2/idol2Client_2_12.exe