SiteMinder SDK - more info needed about vulnerability CWE: 321 Use of Hard-coded Cryptographic Key
search cancel

SiteMinder SDK - more info needed about vulnerability CWE: 321 Use of Hard-coded Cryptographic Key


Article ID: 269247


Updated On:


SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)


Veracode scan detects the following vulnerability in SiteMinder SDK 12.8.06

CWE - 321 : Use of Hard-coded Cryptographic Key

CWE Definition
Number of vulnerabilities: 15
Description The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Background Details  
Other Notes The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.



Release : All SDK versions



The vulnerability raised related to Use of Hard-coded Cryptographic key is false positive.


When the custom program (SMAgentProxy) calls createSSOToken/decodeSSOToken the encrypt/decrypt function will can get called. 
The Agent Keys will be fetched to encrypt/decrypt cookies, agentname etc.

Agent Keys used in the above to encrypt the inputs are not hard-coded, instead they are being fetched from a Policy Server at regular 
doMangement thread intervals. Policy Server stores these keys into secure media (Key Store). 
The AgentAPI module that fetches these agent keys stores them into memory for use during any sensitive operations like encryption/decryption. 
These agent keys fetched from the policy server will be rolled over based on configuration.


As these keys are not hard coded keys instead fetched from Policy Server where the keys tend to be rolled over at regular intervals, therefore, this vulnerability is a false positive for the Siteminder SDK.