CVE-2019-25030 - Vulnerability Details - OpenCVE

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Versa-networks	Versa Analytics Versa Director Versa Operating System

Configuration 1 [-]

OR	cpe:2.3:a:versa-networks:versa_analytics:-:::::::*
	cpe:2.3:a:versa-networks:versa_director:-:::::::*
	cpe:2.3:o:versa-networks:versa_operating_system:-:::::::*

No data.

References

Link	Providers
https://hackerone.com/reports/1168197

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2021-05-26T18:45:38

Updated: 2024-08-05T03:00:19.000Z

Reserved: 2021-04-23T00:00:00

Link: CVE-2019-25030

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-26T19:15:08.813

Modified: 2024-11-21T04:39:46.803

Link: CVE-2019-25030

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Versa Director, Versa Analytics, Versa VOS", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"}]}], "descriptions": [{"lang": "en", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "Insufficiently Protected Credentials (CWE-522)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T18:45:38", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1168197"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-25030", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Versa Director, Versa Analytics, Versa VOS", "version": {"version_data": [{"version_value": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficiently Protected Credentials (CWE-522)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1168197", "refsource": "MISC", "url": "https://hackerone.com/reports/1168197"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:00:19.000Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1168197"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-25030", "datePublished": "2021-05-26T18:45:38", "dateReserved": "2021-04-23T00:00:00", "dateUpdated": "2024-08-05T03:00:19.000Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:versa-networks:versa_analytics:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D5BC5CF-B979-4689-BD33-45A8E8D16375", "vulnerable": true}, {"criteria": "cpe:2.3:a:versa-networks:versa_director:-:*:*:*:*:*:*:*", "matchCriteriaId": "4DE5070B-93B9-478C-999C-2E0D4B66868C", "vulnerable": true}, {"criteria": "cpe:2.3:o:versa-networks:versa_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "02ECA632-35D4-4CCC-87D2-8160EC077EB7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}, {"lang": "es", "value": "En Versa Director, Versa Analytics y VOS, las contrase\u00f1as son procesadas usando una funci\u00f3n hash criptogr\u00e1fica adaptativa o una funci\u00f3n de derivation de clave antes del almacenamiento. Los algoritmos de hash populares basados ??en la construcci\u00f3n Merkle-Damgard (como MD5 y SHA-1) por s\u00ed solos son insuficientes para frustrar el descifrado de contrase\u00f1as. Unos atacantes pueden generar y utilizar hashes precalculados para todas las combinaciones posibles de caracteres de contrase\u00f1a (com\u00fanmente denominadas \"rainbow tables\") con relativa rapidez. El uso de algoritmos de hash adaptativos, como las funciones de derivaci\u00f3n de claves de cifrado y cifrado (es decir, PBKDF2) para cifrar contrase\u00f1as, hace que la generaci\u00f3n de tales rainbow tables sea computacionalmente inviable"}], "id": "CVE-2019-25030", "lastModified": "2024-11-21T04:39:46.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-26T19:15:08.813", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1168197"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1168197"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}