I've discovered that the CBC encryption mode implemented in the Encrypt function located in the crypt.go file (part of the github.com/netbirdio/netbird/management/server/activity/sqlite package) utilizes a static initialization vector (IV). This practice is known to compromise the security of the encrypted data, as using a predictable IV can lead to pattern leaks and potentially allow attackers to infer information about the plaintext.
Expected behavior
For security purposes, each encryption operation should utilize a unique and unpredictable IV, maybe it can derived from the key.
Describe the problem
I've discovered that the CBC encryption mode implemented in the
Encrypt
function located in thecrypt.go
file (part of thegithub.com/netbirdio/netbird/management/server/activity/sqlite
package) utilizes a static initialization vector (IV). This practice is known to compromise the security of the encrypted data, as using a predictable IV can lead to pattern leaks and potentially allow attackers to infer information about the plaintext.Expected behavior
For security purposes, each encryption operation should utilize a unique and unpredictable IV, maybe it can derived from the key.
NetBird version
<=0.28.4
Screenshots