CVE-2019-14482 - OpenCVE

AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Adremsoft	Netcrunch

Configuration 1 [-]

cpe:2.3:a:adremsoft:netcrunch:*:*:*:*:*:*:*:*

References

Link	Resource
https://compass-security.com/fileadmin/Research/Advisories/2020-16_CSNC-2019-017_AdRem_NetCrunch_Hardcoded_SSL_Private_Key.txt	Exploit Technical Description Third Party Advisory
https://www.adremsoft.com/support/	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-12-16T15:47:15

Updated: 2020-12-16T15:47:15

Reserved: 2019-08-01T00:00:00

Link: CVE-2019-14482

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-16T16:15:13.743

Modified: 2020-12-17T14:32:56.583

Link: CVE-2019-14482

JSON object: View

Redhat Information

No data.

CWE

CWE-798

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-12-16T15:47:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.adremsoft.com/support/"}, {"tags": ["x_refsource_MISC"], "url": "https://compass-security.com/fileadmin/Research/Advisories/2020-16_CSNC-2019-017_AdRem_NetCrunch_Hardcoded_SSL_Private_Key.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14482", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.adremsoft.com/support/", "refsource": "MISC", "url": "https://www.adremsoft.com/support/"}, {"name": "https://compass-security.com/fileadmin/Research/Advisories/2020-16_CSNC-2019-017_AdRem_NetCrunch_Hardcoded_SSL_Private_Key.txt", "refsource": "MISC", "url": "https://compass-security.com/fileadmin/Research/Advisories/2020-16_CSNC-2019-017_AdRem_NetCrunch_Hardcoded_SSL_Private_Key.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14482", "datePublished": "2020-12-16T15:47:15", "dateReserved": "2019-08-01T00:00:00", "dateUpdated": "2020-12-16T15:47:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adremsoft:netcrunch:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4B129E0-82B5-48E8-A65B-9A339FFD9F30", "versionEndIncluding": "10.6.0.4587", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerability in the NetCrunch web client. The same hardcoded SSL private key is used across different customers' installations when no other SSL certificate is installed, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation."}, {"lang": "es", "value": "AdRem NetCrunch versi\u00f3n 10.6.0.4587, presenta una vulnerabilidad de clave privada SSL embebida en el cliente web NetCrunch. La misma clave privada SSL embebida es usada en las instalaciones de diferentes clientes cuando no se presenta ning\u00fan otro certificado SSL instalado, lo que permite a los atacantes remotos vencer los mecanismos de protecci\u00f3n criptogr\u00e1fica al aprovechar el conocimiento de esta clave de otra instalaci\u00f3n"}], "id": "CVE-2019-14482", "lastModified": "2020-12-17T14:32:56.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-16T16:15:13.743", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://compass-security.com/fileadmin/Research/Advisories/2020-16_CSNC-2019-017_AdRem_NetCrunch_Hardcoded_SSL_Private_Key.txt"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.adremsoft.com/support/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}