The CMP CLI client in KeyFactor EJBCA before 8.3.1 has only 6 octets of salt, and is thus not compliant with the security requirements of RFC 4211, and might make man-in-the-middle attacks easier. CMP includes password-based MAC as one of the options for message integrity and authentication (the other option is certificate-based). RFC 4211 section 4.4 requires that password-based MAC parameters use a salt with a random value of at least 8 octets. This helps to inhibit dictionary attacks. Because the standalone CMP client originally was developed as test code, the salt was instead hardcoded and only 6 octets long.
References
Link | Resource |
---|---|
https://datatracker.ietf.org/doc/html/rfc4211#section-4.4 | Technical Description |
https://support.keyfactor.com/hc/en-us/articles/26965687021595-EJBCA-Security-Advisory-EJBCA-standalone-CMP-CLI-client | Mitigation Vendor Advisory |
Configurations
History
18 Sep 2024, 20:28
Type | Values Removed | Values Added |
---|---|---|
References | () https://datatracker.ietf.org/doc/html/rfc4211#section-4.4 - Technical Description | |
References | () https://support.keyfactor.com/hc/en-us/articles/26965687021595-EJBCA-Security-Advisory-EJBCA-standalone-CMP-CLI-client - Mitigation, Vendor Advisory | |
First Time |
Keyfactor
Keyfactor ejbca |
|
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:keyfactor:ejbca:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 3.1 |
Summary |
|
12 Sep 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-12 19:15
Updated : 2024-09-18 20:28
NVD link : CVE-2024-36066
Mitre link : CVE-2024-36066
CVE.ORG link : CVE-2024-36066
JSON object : View
Products Affected
keyfactor
- ejbca
CWE