CVE-2023-0452 - OpenCVE

Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A configuration file that is accessible without authentication uses MD5 hashes for encrypting credentials, including those of administrators and technicians.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Econolite	Eos

Configuration 1 [-]

cpe:2.3:a:econolite:eos:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2023-01-26T20:39:37.729Z

Updated: 2023-06-20T15:38:11.331Z

Reserved: 2023-01-23T18:19:28.691Z

Link: CVE-2023-0452

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-26T21:18:08.860

Modified: 2023-06-20T16:15:09.780

Link: CVE-2023-0452

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-0452", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-01-23T18:19:28.691Z", "datePublished": "2023-01-26T20:39:37.729Z", "dateUpdated": "2023-06-20T15:38:11.331Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "EOS", "vendor": "Econolite", "versions": [{"lessThan": "3.2.23", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rustam Amin"}, {"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Rustam Amin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Econolite EOS versions prior to 3.2.23 use a weak hash\nalgorithm for encrypting privileged user credentials. A configuration file that\nis accessible without authentication uses MD5 hashes for encrypting\ncredentials, including those of administrators and technicians.</p>\n\n\n\n\n\n"}], "value": "Econolite EOS versions prior to 3.2.23 use a weak hash\nalgorithm for encrypting privileged user credentials. A configuration file that\nis accessible without authentication uses MD5 hashes for encrypting\ncredentials, including those of administrators and technicians.\n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "description": "CWE-328 Use of Weak Hash", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-06-20T15:38:11.331Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:econolite:eos:*:*:*:*:*:*:*:*", "matchCriteriaId": "65A25AD1-88B9-4680-8F69-81308219D9F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Econolite EOS versions prior to 3.2.23 use a weak hash\nalgorithm for encrypting privileged user credentials. A configuration file that\nis accessible without authentication uses MD5 hashes for encrypting\ncredentials, including those of administrators and technicians.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "Las versiones de Econolite EOS anteriores a la 3.2.23 utilizan un algoritmo hash d\u00e9bil para cifrar las credenciales de usuarios privilegiados. Un archivo de configuraci\u00f3n al que se puede acceder sin autenticaci\u00f3n utiliza hashes MD5 para cifrar las credenciales, incluidas las de administradores y t\u00e9cnicos.\n\n\n"}], "id": "CVE-2023-0452", "lastModified": "2023-06-20T16:15:09.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2023-01-26T21:18:08.860", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-328"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Secondary"}]}