Security

Safety risk

Please note that tools help in a lot of different workarounds and can also make a system safer by update and patch it in a fast easy way or
they reduce administrator privileges to limit the security risk.
But the tools are like a Swiss Army Knife and in this function they do not have any security level.
Running an application with different user credentials than the logged in user or reversible encryption, which is needed to run a program with credentials from an encrypted file, are generally classified as unsafe.
See also Microsoft Docs Store passwords >> Data protection

Universal encryption key is used in RunAsSpc 4.0

Specification on Mitre CVE-2022-26660

RunAsSpc 4.0.0.0 use a universal and recoverable encryption key.
In possession of a file encrypted by RunAsSpc, an attacker can recover the credentials that were used, because encryption key is universal.
Recovery of the password used for encryption can used for Identity theft and privilege escalation.

Vulnarable is notified on 2022-03-01.
Thanks for the responsible disclosure to the cyber security team INTRINSEC
intrinsec.com

Solutions


Date: 2022-06-21
Data protection
Imprint