CVE-2019-25030 - OpenCVE

In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as "rainbow tables") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Versa-networks	Versa Analytics Versa Operating System Versa Director

Configuration 1 [-]

OR	cpe:2.3:a:versa-networks:versa_analytics:-:::::::*
	cpe:2.3:a:versa-networks:versa_director:-:::::::*
	cpe:2.3:o:versa-networks:versa_operating_system:-:::::::*

References

Link	Resource
https://hackerone.com/reports/1168197	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2021-05-26T18:45:38

Updated: 2021-05-26T18:45:38

Reserved: 2021-04-23T00:00:00

Link: CVE-2019-25030

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-05-26T19:15:08.813

Modified: 2021-06-07T14:07:43.390

Link: CVE-2019-25030

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "Versa Director, Versa Analytics, Versa VOS", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"}]}], "descriptions": [{"lang": "en", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "Insufficiently Protected Credentials (CWE-522)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T18:45:38", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1168197"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-25030", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Versa Director, Versa Analytics, Versa VOS", "version": {"version_data": [{"version_value": "Fixed Versions: 16.1R2S11, 20.2.2, 21.1.1, 21.2.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficiently Protected Credentials (CWE-522)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1168197", "refsource": "MISC", "url": "https://hackerone.com/reports/1168197"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-25030", "datePublished": "2021-05-26T18:45:38", "dateReserved": "2021-04-23T00:00:00", "dateUpdated": "2021-05-26T18:45:38", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:versa-networks:versa_analytics:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D5BC5CF-B979-4689-BD33-45A8E8D16375", "vulnerable": true}, {"criteria": "cpe:2.3:a:versa-networks:versa_director:-:*:*:*:*:*:*:*", "matchCriteriaId": "4DE5070B-93B9-478C-999C-2E0D4B66868C", "vulnerable": true}, {"criteria": "cpe:2.3:o:versa-networks:versa_operating_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "02ECA632-35D4-4CCC-87D2-8160EC077EB7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Versa Director, Versa Analytics and VOS, Passwords are not hashed using an adaptive cryptographic hash function or key derivation function prior to storage. Popular hashing algorithms based on the Merkle-Damgardconstruction (such as MD5 and SHA-1) alone are insufficient in thwarting password cracking. Attackers can generate and use precomputed hashes for all possible password character combinations (commonly referred to as \"rainbow tables\") relatively quickly. The use of adaptive hashing algorithms such asscryptorbcryptor Key-Derivation Functions (i.e.PBKDF2) to hash passwords make generation of such rainbow tables computationally infeasible."}, {"lang": "es", "value": "En Versa Director, Versa Analytics y VOS, las contrase\u00f1as son procesadas usando una funci\u00f3n hash criptogr\u00e1fica adaptativa o una funci\u00f3n de derivation de clave antes del almacenamiento. Los algoritmos de hash populares basados ??en la construcci\u00f3n Merkle-Damgard (como MD5 y SHA-1) por s\u00ed solos son insuficientes para frustrar el descifrado de contrase\u00f1as. Unos atacantes pueden generar y utilizar hashes precalculados para todas las combinaciones posibles de caracteres de contrase\u00f1a (com\u00fanmente denominadas \"rainbow tables\") con relativa rapidez. El uso de algoritmos de hash adaptativos, como las funciones de derivaci\u00f3n de claves de cifrado y cifrado (es decir, PBKDF2) para cifrar contrase\u00f1as, hace que la generaci\u00f3n de tales rainbow tables sea computacionalmente inviable"}], "id": "CVE-2019-25030", "lastModified": "2021-06-07T14:07:43.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-26T19:15:08.813", "references": [{"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/1168197"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "support@hackerone.com", "type": "Secondary"}]}