CVE-2019-25030

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://hackerone.com/reports/1168197	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:versa-networks:versa_analytics:-:::::::*
	cpe:2.3:a:versa-networks:versa_director:-:::::::*
	cpe:2.3:o:versa-networks:versa_operating_system:-:::::::*

History

07 Jun 2021, 14:07

Type	Values Removed	Values Added
References	~~(MISC) https://hackerone.com/reports/1168197 -~~	(MISC) https://hackerone.com/reports/1168197 - Third Party Advisory
CWE		CWE-522
CPE		cpe:2.3:a:versa-networks:versa_analytics:-:::::::* cpe:2.3:o:versa-networks:versa_operating_system:-:::::::* cpe:2.3:a:versa-networks:versa_director:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.1 v3 : 5.5

26 May 2021, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-05-26 19:15

Updated : 2024-02-04 21:47

NVD link : CVE-2019-25030

Mitre link : CVE-2019-25030

CVE.ORG link : CVE-2019-25030

JSON object : View

Products Affected

versa-networks

versa_operating_system
versa_director
versa_analytics

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2019-25030", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2021-05-26T19:15:08.813", "references": [{"url": "https://hackerone.com/reports/1168197", "tags": ["Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}, {"lang": "es", "value": "En Versa Director, Versa Analytics y VOS, las contrase\u00f1as son procesadas usando una funci\u00f3n hash criptogr\u00e1fica adaptativa o una funci\u00f3n de derivation de clave antes del almacenamiento. Los algoritmos de hash populares basados ??en la construcci\u00f3n Merkle-Damgard (como MD5 y SHA-1) por s\u00ed solos son insuficientes para frustrar el descifrado de contrase\u00f1as. Unos atacantes pueden generar y utilizar hashes precalculados para todas las combinaciones posibles de caracteres de contrase\u00f1a (com\u00fanmente denominadas \"rainbow tables\") con relativa rapidez. El uso de algoritmos de hash adaptativos, como las funciones de derivaci\u00f3n de claves de cifrado y cifrado (es decir, PBKDF2) para cifrar contrase\u00f1as, hace que la generaci\u00f3n de tales rainbow tables sea computacionalmente inviable"}], "lastModified": "2021-06-07T14:07:43.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:versa-networks:versa_analytics:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D5BC5CF-B979-4689-BD33-45A8E8D16375"}, {"criteria": "cpe:2.3:a:versa-networks:versa_director:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4DE5070B-93B9-478C-999C-2E0D4B66868C"}, {"criteria": "cpe:2.3:o:versa-networks:versa_operating_system:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02ECA632-35D4-4CCC-87D2-8160EC077EB7"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}