CVE-2022-26660 – RunAsSpc 4.0 uses a hardcoded encryption key th... (How to Fix)

Q: What is the severity of CVE-2022-26660?

CVE-2022-26660 has a CVSS score of 7.5 (HIGH). RunAsSpc 4.0 uses a hardcoded encryption key that can be recovered by attackers. This allows anyone with access to encrypted credential files to decrypt and obtain stored credentials. All users of RunAsSpc 4.0 are affected.

📋 TL;DR

RunAsSpc 4.0 uses a hardcoded encryption key that can be recovered by attackers. This allows anyone with access to encrypted credential files to decrypt and obtain stored credentials. All users of RunAsSpc 4.0 are affected.

💻 Affected Systems

Products:

RunAsSpc

Versions: Version 4.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of RunAsSpc 4.0 are vulnerable regardless of configuration.

📦 What is this software?

Runasspc by Robotronic

View all CVEs affecting Runasspc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative credentials, leading to complete system compromise, lateral movement, and data exfiltration.

🟠

Likely Case

Attackers with file access recover stored credentials, potentially gaining unauthorized access to systems and applications.

🟢

If Mitigated

Limited to credential exposure without further exploitation if strong access controls and monitoring are in place.

🌐 Internet-Facing: MEDIUM - Requires access to encrypted files, but these could be exposed through misconfigurations or other vulnerabilities.

🏢 Internal Only: HIGH - Internal attackers or malware with file access can easily recover credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to encrypted credential files. The decryption method is publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.1 or later

Vendor Advisory: https://robotronic.de/secureen.html

Restart Required: No

Instructions:

1. Download RunAsSpc 4.1 or later from the vendor website. 2. Uninstall the vulnerable version. 3. Install the updated version. 4. Re-encrypt any stored credentials using the new version.

🔧 Temporary Workarounds

Remove encrypted credential files

windows

Delete all .spc files created by RunAsSpc to prevent credential recovery

del /s *.spc

Restrict file access

windows

Set strict permissions on directories containing .spc files

icacls "C:\Path\To\SPCFiles" /deny Everyone:(R,W,X)

🧯 If You Can't Patch

Stop using RunAsSpc for credential storage and switch to secure alternatives like Windows Credential Manager
Implement strict access controls and monitoring on all systems where RunAsSpc files are stored

🔍 How to Verify

Check if Vulnerable:

Check if RunAsSpc version 4.0 is installed and if any .spc files exist on the system

Check Version:

RunAsSpc.exe --version or check program properties

Verify Fix Applied:

Verify RunAsSpc version is 4.1 or later and that no old .spc files remain accessible

📡 Detection & Monitoring

Log Indicators:

Access to .spc files by unauthorized users or processes
Failed decryption attempts on credential files

Network Indicators:

Unusual authentication attempts using credentials that match RunAsSpc patterns

SIEM Query:

EventID=4663 AND ObjectName LIKE '%.spc' AND AccessMask IN ('0x10000', '0x120089')

📊 Metadata

CVE ID: CVE-2022-26660

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-798

Published: March 16, 2022

Last Updated: November 21, 2024

🔗 References

https://robotronic.de/secureen.html Vendor Advisory
https://robotronic.de/secureen.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26660, you might also want to check these: