CVE-2018-16499 - OpenCVE

In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption protocols or cipher suites also violates the Data Protection TSR (Technical Security Requirements).

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Versa-networks	Versa Operating System

Configuration 1 [-]

cpe:2.3:o:versa-networks:versa_operating_system:-:*:*:*:*:*:*:*

References

Link	Resource
https://hackerone.com/reports/1168196	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2021-05-26T18:45:44

Updated: 2021-05-26T18:45:44

Reserved: 2018-09-04T00:00:00

Link: CVE-2018-16499

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-26T19:15:08.720

Modified: 2021-06-07T14:13:32.080

Link: CVE-2018-16499

JSON object: View

Redhat Information

No data.

CWE

CWE-326

{"containers": {"cna": {"affected": [{"product": "Versa VOS", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"}]}], "descriptions": [{"lang": "en", "value": "In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption protocols or cipher suites also violates the Data Protection TSR (Technical Security Requirements)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-326", "description": "Inadequate Encryption Strength (CWE-326)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T18:45:44", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1168196"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2018-16499", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Versa VOS", "version": {"version_data": [{"version_value": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption protocols or cipher suites also violates the Data Protection TSR (Technical Security Requirements)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Inadequate Encryption Strength (CWE-326)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1168196", "refsource": "MISC", "url": "https://hackerone.com/reports/1168196"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2018-16499", "datePublished": "2021-05-26T18:45:44", "dateReserved": "2018-09-04T00:00:00", "dateUpdated": "2021-05-26T18:45:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:versa-networks:versa_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "02ECA632-35D4-4CCC-87D2-8160EC077EB7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In VOS compromised, an attacker at network endpoints can possibly view communications between an unsuspecting user and the service using man-in-the-middle attacks. Usage of unapproved SSH encryption protocols or cipher suites also violates the Data Protection TSR (Technical Security Requirements)."}, {"lang": "es", "value": "En VOS comprometido, un atacante en los endpoints de la red posiblemente puede visualizar las comunicaciones entre un usuario desprevenido y el servicio mediante ataques de tipo man-in-the-middle. El uso de protocolos de cifrado SSH o conjuntos de cifrado no aprobados tambi\u00e9n viola los TSR de protecci\u00f3n de datos (Requisitos T\u00e9cnicos de Seguridad)"}], "id": "CVE-2018-16499", "lastModified": "2021-06-07T14:13:32.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-26T19:15:08.720", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1168196"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-326"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-326"}], "source": "support@hackerone.com", "type": "Secondary"}]}