Executive Summary
Summary | |
---|---|
Title | Wind River Systems VxWorks weak default hashing algorithm in standard authentication API (loginLib) |
Informations | |||
---|---|---|---|
Name | VU#840249 | First vendor Publication | 2010-08-02 |
Vendor | VU-CERT | Last vendor Modification | 2010-09-02 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#840249Wind River Systems VxWorks weak default hashing algorithm in standard authentication API (loginLib)OverviewThe hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password.I. DescriptionAn attacker with a known username and access to a service (telnet, rlogin or FTP) that uses the standard authentication API (loginDefaultEncrypt (), part of loginLib) can brute force the password in a relatively short period of time. Since the hashing algorithm is susceptible to collisions, the actual password does not have to be found, just a string that produces the same hash.For instance, when the default 'target/password' login example is used, 'y{{{{{kS' hashes to the same string as 'password'. It is thus possible to login using both 'password' and 'y{{{{{kS' as the passwords for the user 'target'. In addition, and so as to avoid registration of the default 'target'/'password' credentials at init time, the LOGIN_USER_NAME and LOGIN_USER_PASSWORD project parameters/#defines should be set to empty strings (so that no user is registered using the default encryption routine). Only after the new encryption routine is registered should new users be added to the system.
Referenceshttp://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html Thanks to HD Moore for reporting this vulnerability. This document was written by Jared Allar.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/840249 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
66909 | Wind River Systems' VxWorks INCLUDE_SECURITY Functionality Multiple Parameter... |
66843 | Wind River Systems' VxWorks loginLib Default Hashing Algorithm Weakness VxWorks contains a flaw that may allow an attacker to brute force a known backdoor account over FTP with trivial effort. The issue is triggered in combination with a flaw that allows arbitrary memory access, which allows the backdoor account name to be discovered. |