CVE-2018-15124 - OpenCVE

Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Zipato	Zipabox Firmware Zipabox

Configuration 1 [-]

AND

cpe:2.3:o:zipato:zipabox_firmware:118:*:*:*:*:*:*:*

cpe:2.3:h:zipato:zipabox:-:*:*:*:*:*:*:*

References

Link	Resource
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/08/08/klcert-18-004-zipato-zipabox-weak-hash-algorithm/	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Kaspersky

Published: 2018-08-08T00:00:00

Updated: 2018-08-13T20:57:01

Reserved: 2018-08-06T00:00:00

Link: CVE-2018-15124

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-08-13T21:48:01.477

Modified: 2018-10-10T15:35:01.270

Link: CVE-2018-15124

JSON object: View

Redhat Information

No data.

CWE

CWE-326

{"containers": {"cna": {"affected": [{"product": "Zipato Zipabox Smart Home Controller", "vendor": "Kaspersky Lab", "versions": [{"status": "affected", "version": "BOARD REV - 1"}, {"status": "affected", "version": "SYSTEM VERSION -118"}]}], "datePublic": "2018-08-08T00:00:00", "descriptions": [{"lang": "en", "value": "Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device."}], "problemTypes": [{"descriptions": [{"description": "Weak hashing algorithm", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-13T20:57:01", "orgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "shortName": "Kaspersky"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/08/08/klcert-18-004-zipato-zipabox-weak-hash-algorithm/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerability@kaspersky.com", "DATE_PUBLIC": "2018-08-08T00:00:00", "ID": "CVE-2018-15124", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Zipato Zipabox Smart Home Controller", "version": {"version_data": [{"version_value": "BOARD REV - 1"}, {"version_value": "SYSTEM VERSION -118"}]}}]}, "vendor_name": "Kaspersky Lab"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Weak hashing algorithm"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/08/08/klcert-18-004-zipato-zipabox-weak-hash-algorithm/", "refsource": "MISC", "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/08/08/klcert-18-004-zipato-zipabox-weak-hash-algorithm/"}]}}}}, "cveMetadata": {"assignerOrgId": "e45d732a-8f6b-4b6b-be76-7420f6a2b988", "assignerShortName": "Kaspersky", "cveId": "CVE-2018-15124", "datePublished": "2018-08-08T00:00:00", "dateReserved": "2018-08-06T00:00:00", "dateUpdated": "2018-08-13T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zipato:zipabox_firmware:118:*:*:*:*:*:*:*", "matchCriteriaId": "6217A685-8A45-4CE6-AD09-2686F0D77DB2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:zipato:zipabox:-:*:*:*:*:*:*:*", "matchCriteriaId": "A337B85F-C7BD-4B11-9ED5-8740958BEB3F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device."}, {"lang": "es", "value": "Algoritmo de hasheo d\u00e9bil en Zipato Zipabox Smart Home Controller BOARD REV - 1 con versi\u00f3n de sistema 118 permite que un atacante no autenticado extraiga contrase\u00f1as en texto claro y obtener acceso root al dispositivo."}], "id": "CVE-2018-15124", "lastModified": "2018-10-10T15:35:01.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-13T21:48:01.477", "references": [{"source": "vulnerability@kaspersky.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/08/08/klcert-18-004-zipato-zipabox-weak-hash-algorithm/"}], "sourceIdentifier": "vulnerability@kaspersky.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}]}