cryptctl: client side password hashing is equivalent to clear text password storage
अनुवाद हो रहा है…प्लेटफ़ॉर्म
linux
घटक
cryptctl
में ठीक किया गया
2.4
2.4
CVE-2019-18906 is an Improper Authentication vulnerability affecting the cryptctl component in SUSE Linux Enterprise Server for SAP 12-SP5 and SUSE Manager Server 4.0. This flaw allows attackers possessing a hashed password to authenticate without cracking it, potentially leading to unauthorized access to sensitive data. The vulnerability impacts versions of cryptctl prior to 2.4, and a fix is available in version 2.4.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The primary impact of CVE-2019-18906 is the potential for unauthorized access to encrypted data managed by cryptctl. An attacker who obtains a hashed password, either through previous breaches or other means, can leverage this vulnerability to bypass the normal authentication process and gain access to protected resources. This could include sensitive configuration files, encryption keys, or other confidential information. The blast radius is limited to systems where the vulnerable cryptctl version is deployed and where hashed passwords are accessible to a malicious actor. This vulnerability shares similarities with other authentication bypass flaws where weak password hashing or inadequate authentication checks are exploited.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2019-18906 was publicly disclosed in June 2021. While no active exploitation campaigns have been definitively linked to this CVE, the CRITICAL severity score indicates a high potential for exploitation if the vulnerability is discovered and exploited. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of exploitation given access to a hashed password makes it a significant risk.
कौन जोखिम में हैअनुवाद हो रहा है…
Organizations running SUSE Linux Enterprise Server for SAP 12-SP5 and SUSE Manager Server 4.0 with versions of cryptctl prior to 2.4 are at risk. This includes environments that rely heavily on encryption for data protection and those with legacy systems that may be difficult to upgrade quickly. Shared hosting environments using these platforms are also particularly vulnerable.
पहचान के चरणअनुवाद हो रहा है…
• linux / server:
journalctl -u cryptctl | grep -i "authentication success"• linux / server:
ps aux | grep cryptctl• linux / server:
find / -name 'cryptctl' -type fहमले की समयरेखा
- Discovery
discovery
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.33% (56% शतमक)
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- कोई नहीं — बिना प्रमाणीकरण के शोषण योग्य।
- User Interaction
- कोई नहीं — स्वचालित और मूक हमला। पीड़ित कुछ नहीं करता।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- उच्च — हमलावर कोई भी डेटा लिख, बदल या हटा सकता है।
- Availability
- उच्च — पूर्ण क्रैश या संसाधन समाप्ति। पूर्ण सेवा से इनकार।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2019-18906 is to upgrade cryptctl to version 2.4 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter password policies to minimize the risk of attackers obtaining valid hashed passwords. While a direct workaround is not available, reviewing and auditing access controls to encrypted data can help detect and prevent unauthorized access. After upgrading, confirm the fix by attempting authentication with a known hashed password and verifying that it is rejected.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice el paquete cryptctl a la versión 2.4 o superior. Esto solucionará la vulnerabilidad de autenticación incorrecta que permite a los atacantes usar la contraseña con hash sin tener que descifrarla.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2019-18906 — Improper Authentication in cryptctl?
CVE-2019-18906 is a critical vulnerability in the cryptctl component of SUSE Linux Enterprise Server for SAP and SUSE Manager Server, allowing attackers with hashed passwords to bypass authentication.
Am I affected by CVE-2019-18906 in cryptctl?
You are affected if you are running SUSE Linux Enterprise Server for SAP 12-SP5 or SUSE Manager Server 4.0 with cryptctl versions prior to 2.4.
How do I fix CVE-2019-18906 in cryptctl?
Upgrade cryptctl to version 2.4 or later to resolve the vulnerability. Review and strengthen password policies as a preventative measure.
Is CVE-2019-18906 being actively exploited?
While no active campaigns have been definitively linked, the CRITICAL severity suggests a high potential for exploitation if the vulnerability is discovered.
Where can I find the official SUSE advisory for CVE-2019-18906?
Refer to the SUSE Security Advisory for detailed information and mitigation steps: https://www.suse.com/security/cve/CVE-2019-18906/
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।