CWE-522
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CVE-2023-43633 (GCVE-0-2023-43633)
Vulnerability from cvelistv5 – Published: 2023-09-21 13:08 – Updated: 2024-09-24 17:00
VLAI
Title
Debug Functions Unlockable Without Triggering Measured Boot
Summary
On boot, the Pillar eve container checks for the existence and content of
“/config/GlobalConfig/global.json”.
If the file exists, it overrides the existing configuration on the device on boot.
This allows an attacker to change the system’s configuration, which also includes some
debug functions.
This could be used to unlock the ssh with custom “authorized_keys” via the
“debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before.
Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb”
key, allowing VNC access via the “app.allow.vnc” key, and more.
An attacker could easily enable these debug functionalities without triggering the “measured
boot” mechanism implemented by EVE OS, and without marking the device as “UUD”
(“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable and it
is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thereby not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Affected:
0 , < 8.6.0
(release)
Affected: 9.0.0 , < 9.5.0 (release) |
|
| lfedge | eve |
Affected:
0 , < 8.6.0
(custom)
Affected: 9.0.0 , < 9.5.0 (custom) cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43633/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eve",
"vendor": "lfedge",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T16:59:36.660433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T17:00:40.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go",
"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.cfg"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "release"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/GlobalConfig/global.json\u201d.\n\u003cbr\u003eIf the file exists, it overrides the existing configuration on the device on boot.\n\u003cbr\u003eThis allows an attacker to change the system\u2019s configuration, which also includes some\ndebug functions.\n\u003cbr\u003eThis could be used to unlock the ssh with custom \u201cauthorized_keys\u201d via the\n\u201cdebug.enable.ssh\u201d key, similar to the \u201cauthorized_keys\u201d finding that was noted before.\n\u003cbr\u003eOther usages include unlocking the usb to enable the keyboard via the \u201cdebug.enable.usb\u201d\nkey, allowing VNC access via the \u201capp.allow.vnc\u201d key, and more.\n\u003cbr\u003eAn attacker could easily enable these debug functionalities without triggering the \u201cmeasured\nboot\u201d mechanism implemented by EVE OS, and without marking the device as \u201cUUD\u201d\n(\u201cUnknown Update Detected\u201d).\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable and it\nis not encrypted in any way.\u003cbr\u003e\u003cbr\u003e\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thereby not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\u003cbr\u003e\u003cbr\u003eNote:\n\u003cbr\u003eThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\u003cbr\u003e\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\u003cbr\u003e\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\u003cbr\u003eThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
}
],
"value": "\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/GlobalConfig/global.json\u201d.\n\nIf the file exists, it overrides the existing configuration on the device on boot.\n\nThis allows an attacker to change the system\u2019s configuration, which also includes some\ndebug functions.\n\nThis could be used to unlock the ssh with custom \u201cauthorized_keys\u201d via the\n\u201cdebug.enable.ssh\u201d key, similar to the \u201cauthorized_keys\u201d finding that was noted before.\n\nOther usages include unlocking the usb to enable the keyboard via the \u201cdebug.enable.usb\u201d\nkey, allowing VNC access via the \u201capp.allow.vnc\u201d key, and more.\n\nAn attacker could easily enable these debug functionalities without triggering the \u201cmeasured\nboot\u201d mechanism implemented by EVE OS, and without marking the device as \u201cUUD\u201d\n(\u201cUnknown Update Detected\u201d).\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable and it\nis not encrypted in any way.\n\n\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thereby not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\n\nNote:\n\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:33:11.251Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43633/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Debug Functions Unlockable Without Triggering Measured Boot",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43633",
"datePublished": "2023-09-21T13:08:58.659Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-24T17:00:40.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43634 (GCVE-0-2023-43634)
Vulnerability from cvelistv5 – Published: 2023-09-21 13:05 – Updated: 2024-09-24 16:54
VLAI
Title
Config Partition Not Protected by Measured Boot
Summary
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.
In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.
In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.
In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.
This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Affected:
0 , < 8.6.0
(release)
Affected: 9.0.0 , < 9.5.0 (release) |
|
| lfedge | eve |
Affected:
0 , < 8.6.0
(custom)
Affected: 9.0.0 , < 9.5.0 (custom) cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eve",
"vendor": "lfedge",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T16:48:31.106489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T16:54:58.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go",
"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.go",
"https://github.com/lf-edge/eve/tree/master/pkg/measure-config/src/measurefs.go"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "release"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\u003cbr\u003eIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\u003cbr\u003eIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\u003cbr\u003eIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\u003cbr\u003eThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\u003cbr\u003e\u003cbr\u003e\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\u003cbr\u003e"
}
],
"value": "\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\nIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\nIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\nIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\nThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\n\n\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:35:08.666Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": " Config Partition Not Protected by Measured Boot",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43634",
"datePublished": "2023-09-21T13:05:14.046Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-24T16:54:58.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43635 (GCVE-0-2023-43635)
Vulnerability from cvelistv5 – Published: 2023-09-20 14:58 – Updated: 2024-09-25 14:37
VLAI
Title
Vault Key Sealed With SHA1 PCRs
Summary
Vault Key Sealed With SHA1 PCRs
The measured boot solution implemented in EVE OS leans on a PCR locking mechanism.
Different parts of the system update different PCR values in the TPM, resulting in a unique
value for each PCR entry.
These PCRs are then used in order to seal/unseal a key from the TPM which is used to
encrypt/decrypt the “vault” directory.
This “vault” directory is the most sensitive point in the system and as such, its content should
be protected.
This mechanism is noted in Zededa’s documentation as the “measured boot” mechanism,
designed to protect said “vault”.
The code that’s responsible for generating and fetching the key from the TPM assumes that
SHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being
checked.
The issue here is that the key is not sealed using SHA256 PCRs, but using SHA1 PCRs.
This leads to several issues:
• Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well
as not sealing their keys at all, meaning the “vault” is not protected from an attacker.
• SHA1 is considered insecure and reduces the complexity level required to unseal the
key in machines which have their SHA1 PCRs enabled.
An attacker can very easily retrieve the contents of the “vault”, which will effectively render
the “measured boot” mechanism meaningless.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Affected:
0 , < 9.5.0
(release)
|
|
| linuxfoundation | edge_virtualization_engine |
Affected:
0 , < 9.5.0
(custom)
cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:* |
Date Public
2023-09-20 14:57
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43635/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "edge_virtualization_engine",
"vendor": "linuxfoundation",
"versions": [
{
"lessThan": "9.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T14:32:23.099233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T14:37:39.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/blob/master/pkg/pillar/evetpm/tpm.go"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "9.5.0",
"status": "affected",
"version": "0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"datePublic": "2023-09-20T14:57:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nVault Key Sealed With SHA1 PCRs\n\n\n\u003cbr\u003e\u003cbr\u003e\n\nThe measured boot solution implemented in EVE OS leans on a PCR locking mechanism.\n\u003cbr\u003eDifferent parts of the system update different PCR values in the TPM, resulting in a unique\nvalue for each PCR entry.\n\u003cbr\u003eThese PCRs are then used in order to seal/unseal a key from the TPM which is used to\nencrypt/decrypt the \u201cvault\u201d directory.\n\u003cbr\u003eThis \u201cvault\u201d directory is the most sensitive point in the system and as such, its content should\nbe protected.\n\u003cbr\u003eThis mechanism is noted in Zededa\u2019s documentation as the \u201cmeasured boot\u201d mechanism,\ndesigned to protect said \u201cvault\u201d.\n\u003cbr\u003eThe code that\u2019s responsible for generating and fetching the key from the TPM assumes that\nSHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being\nchecked.\n\u003cbr\u003eThe issue here is that the key is not sealed using SHA256 PCRs, but using SHA1 PCRs.\nThis leads to several issues:\n\u003cbr\u003e\u2022 Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well\nas not sealing their keys at all, meaning the \u201cvault\u201d is not protected from an attacker.\n\u003cbr\u003e\u2022 SHA1 is considered insecure and reduces the complexity level required to unseal the\nkey in machines which have their SHA1 PCRs enabled.\u003cbr\u003e\u003cbr\u003e\n\nAn attacker can very easily retrieve the contents of the \u201cvault\u201d, which will effectively render\nthe \u201cmeasured boot\u201d mechanism meaningless.\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "\nVault Key Sealed With SHA1 PCRs\n\n\n\n\n\n\nThe measured boot solution implemented in EVE OS leans on a PCR locking mechanism.\n\nDifferent parts of the system update different PCR values in the TPM, resulting in a unique\nvalue for each PCR entry.\n\nThese PCRs are then used in order to seal/unseal a key from the TPM which is used to\nencrypt/decrypt the \u201cvault\u201d directory.\n\nThis \u201cvault\u201d directory is the most sensitive point in the system and as such, its content should\nbe protected.\n\nThis mechanism is noted in Zededa\u2019s documentation as the \u201cmeasured boot\u201d mechanism,\ndesigned to protect said \u201cvault\u201d.\n\nThe code that\u2019s responsible for generating and fetching the key from the TPM assumes that\nSHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being\nchecked.\n\nThe issue here is that the key is not sealed using SHA256 PCRs, but using SHA1 PCRs.\nThis leads to several issues:\n\n\u2022 Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well\nas not sealing their keys at all, meaning the \u201cvault\u201d is not protected from an attacker.\n\n\u2022 SHA1 is considered insecure and reduces the complexity level required to unseal the\nkey in machines which have their SHA1 PCRs enabled.\n\n\n\nAn attacker can very easily retrieve the contents of the \u201cvault\u201d, which will effectively render\nthe \u201cmeasured boot\u201d mechanism meaningless.\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328 Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:36:04.512Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43635/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vault Key Sealed With SHA1 PCRs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43635",
"datePublished": "2023-09-20T14:58:07.687Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-25T14:37:39.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44158 (GCVE-0-2023-44158)
Vulnerability from cvelistv5 – Published: 2023-09-27 12:01 – Updated: 2024-09-23 18:07
VLAI
Summary
Sensitive information disclosure due to insufficient token field masking. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security-advisory.acronis.com/advisories/… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Acronis | Acronis Cyber Protect 15 |
Affected:
unspecified , < 35979
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:59:51.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "SEC-4071",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security-advisory.acronis.com/advisories/SEC-4071"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T17:31:30.644678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T18:07:34.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "Acronis Cyber Protect 15",
"vendor": "Acronis",
"versions": [
{
"lessThan": "35979",
"status": "affected",
"version": "unspecified",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive information disclosure due to insufficient token field masking. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-27T12:01:12.850Z",
"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"shortName": "Acronis"
},
"references": [
{
"name": "SEC-4071",
"tags": [
"vendor-advisory"
],
"url": "https://security-advisory.acronis.com/advisories/SEC-4071"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"assignerShortName": "Acronis",
"cveId": "CVE-2023-44158",
"datePublished": "2023-09-27T12:01:12.850Z",
"dateReserved": "2023-09-26T13:09:58.803Z",
"dateUpdated": "2024-09-23T18:07:34.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4538 (GCVE-0-2023-4538)
Vulnerability from cvelistv5 – Published: 2024-02-15 08:32 – Updated: 2024-08-29 18:01
VLAI
Title
Shared Key in Comarch ERP XL
Summary
The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords.
This issue affects ERP XL: from 2020.2.2 through 2023.2.
Severity
6.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2024/02/CVE-2023-4537/ | third-party-advisory |
| https://cert.pl/posts/2024/02/CVE-2023-4537/ | third-party-advisory |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/en/posts/2024/02/CVE-2023-4537/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cert.pl/posts/2024/02/CVE-2023-4537/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4538",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T18:01:30.912558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T18:01:40.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ERP XL",
"vendor": "Comarch",
"versions": [
{
"lessThanOrEqual": "2023.2",
"status": "affected",
"version": "2020.2.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "dr in\u017c. Marcin Ochab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords.\u003cbr\u003e\u003cbr\u003eThis issue affects ERP XL: from 2020.2.2 through 2023.2."
}
],
"value": "The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords.\n\nThis issue affects ERP XL: from 2020.2.2 through 2023.2."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T08:32:44.440Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/02/CVE-2023-4537/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/02/CVE-2023-4537/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Shared Key in Comarch ERP XL",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-4538",
"datePublished": "2024-02-15T08:32:44.440Z",
"dateReserved": "2023-08-25T11:18:57.053Z",
"dateUpdated": "2024-08-29T18:01:40.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46115 (GCVE-0-2023-46115)
Vulnerability from cvelistv5 – Published: 2023-10-19 23:35 – Updated: 2024-09-12 15:50
VLAI
Title
Updater Private Keys Possibly Leaked via Vite Environment Variables in tauri-cli
Summary
Tauri is a framework for building binaries for all major desktop platforms. This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the `Vite guide` to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: ['VITE_', 'TAURI_'],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: ['VITE_'],` or any other framework than Vite means you are not impacted by this advisory. Users are advised to rotate their updater private key if they are affected by this (requires Tauri CLI >=1.5.5). After updating the envPrefix configuration, generate a new private key with `tauri signer generate`, saving the new private key and updating the updater's `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/tauri-apps/tauri/security/advi… | x_refsource_CONFIRM |
| https://tauri.app/v1/guides/getting-started/setup/vite/ | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tauri-apps | tauri |
Affected:
>= 2.0.0-alpha.0, < 2.0.0-alpha.16
Affected: >= 1.0.0, < 1.5.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259"
},
{
"name": "https://tauri.app/v1/guides/getting-started/setup/vite/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tauri.app/v1/guides/getting-started/setup/vite/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46115",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T15:50:11.390191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T15:50:32.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tauri",
"vendor": "tauri-apps",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.0, \u003c 2.0.0-alpha.16"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tauri is a framework for building binaries for all major desktop platforms. This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the `Vite guide` to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: [\u0027VITE_\u0027, \u0027TAURI_\u0027],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: [\u0027VITE_\u0027],` or any other framework than Vite means you are not impacted by this advisory. Users are advised to rotate their updater private key if they are affected by this (requires Tauri CLI \u003e=1.5.5). After updating the envPrefix configuration, generate a new private key with `tauri signer generate`, saving the new private key and updating the updater\u0027s `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-19T19:07:53.644Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259"
},
{
"name": "https://tauri.app/v1/guides/getting-started/setup/vite/",
"tags": [
"x_refsource_MISC"
],
"url": "https://tauri.app/v1/guides/getting-started/setup/vite/"
}
],
"source": {
"advisory": "GHSA-2rcp-jvr4-r259",
"discovery": "UNKNOWN"
},
"title": "Updater Private Keys Possibly Leaked via Vite Environment Variables in tauri-cli"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46115",
"datePublished": "2023-10-19T23:35:03.875Z",
"dateReserved": "2023-10-16T17:51:35.570Z",
"dateUpdated": "2024-09-12T15:50:32.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49280 (GCVE-0-2023-49280)
Vulnerability from cvelistv5 – Published: 2023-12-04 22:33 – Updated: 2024-11-27 16:01
VLAI
Title
Data leak of password hash through xwiki change request
Summary
XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view.
This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/xwiki-contrib/application-chan… | x_refsource_CONFIRM |
| https://github.com/xwiki-contrib/application-chan… | x_refsource_MISC |
| https://jira.xwiki.org/browse/CRAPP-302 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki-contrib | application-changerequest |
Affected:
>= 0.1, < 1.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:45.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q"
},
{
"name": "https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8"
},
{
"name": "https://jira.xwiki.org/browse/CRAPP-302",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/CRAPP-302"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-08T18:32:29.592125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:01:05.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "application-changerequest",
"vendor": "xwiki-contrib",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1, \u003c 1.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it\u0027s possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view.\nThis vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won\u0027t be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It\u0027s possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-04T22:33:59.292Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q"
},
{
"name": "https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8"
},
{
"name": "https://jira.xwiki.org/browse/CRAPP-302",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/CRAPP-302"
}
],
"source": {
"advisory": "GHSA-2fr7-cc7p-p45q",
"discovery": "UNKNOWN"
},
"title": "Data leak of password hash through xwiki change request"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49280",
"datePublished": "2023-12-04T22:33:59.292Z",
"dateReserved": "2023-11-24T16:45:24.311Z",
"dateUpdated": "2024-11-27T16:01:05.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50291 (GCVE-0-2023-50291)
Vulnerability from cvelistv5 – Published: 2024-02-09 17:29 – Updated: 2025-05-15 19:39
VLAI
Title
Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords
Summary
Insufficiently Protected Credentials vulnerability in Apache Solr.
This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.
One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name.
There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint.
This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
This /admin/info/properties endpoint is protected under the "config-read" permission.
Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission.
Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.
A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps".
By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".
Users who cannot upgrade can also use the following Java system property to fix the issue:
'-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Solr |
Affected:
6.0.0 , ≤ 8.11.2
(semver)
Affected: 9.0.0 , < 9.3.0 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-50291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T23:30:48.517994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:39:09.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Solr",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "8.11.2",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Michael Taggart"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficiently Protected Credentials vulnerability in Apache Solr.\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003eOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\u003cbr\u003eThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003eThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\u003cbr\u003eTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\u003cbr\u003eA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\u003cbr\u003eBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\u003c/p\u003e\u003cp\u003eUsers who cannot upgrade can also use the following Java system property to fix the issue:\u003cbr\u003e\u0026nbsp; \u0027-D\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esolr.redaction.system.pattern\u003c/span\u003e=.*(password|secret|basicauth).*\u0027\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 \u0027-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*\u0027"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T17:30:06.569Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"
}
],
"source": {
"defect": [
"SOLR-16809"
],
"discovery": "EXTERNAL"
},
"title": "Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-50291",
"datePublished": "2024-02-09T17:29:32.882Z",
"dateReserved": "2023-12-06T17:56:16.223Z",
"dateUpdated": "2025-05-15T19:39:09.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50310 (GCVE-0-2023-50310)
Vulnerability from cvelistv5 – Published: 2024-10-23 10:55 – Updated: 2024-10-23 13:45
VLAI
Title
IBM CICS Transaction Gateway for Multiplatforms information disclosure
Summary
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | CICS Transaction Gateway for Multiplatforms |
Affected:
9.2, 9.3
cpe:2.3:a:ibm:cics_transaction_gateway:9.2:*:*:*:*:multiplatforms:*:* cpe:2.3:a:ibm:cics_transaction_gateway:9.3:*:*:*:*:multiplatforms:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T13:45:18.638182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T13:45:26.181Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cics_transaction_gateway:9.2:*:*:*:*:multiplatforms:*:*",
"cpe:2.3:a:ibm:cics_transaction_gateway:9.3:*:*:*:*:multiplatforms:*:*"
],
"defaultStatus": "unaffected",
"product": "CICS Transaction Gateway for Multiplatforms",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.2, 9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
}
],
"value": "IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T10:55:53.145Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7145418"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM CICS Transaction Gateway for Multiplatforms information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-50310",
"datePublished": "2024-10-23T10:55:53.145Z",
"dateReserved": "2023-12-07T01:29:00.310Z",
"dateUpdated": "2024-10-23T13:45:26.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50311 (GCVE-0-2023-50311)
Vulnerability from cvelistv5 – Published: 2024-03-31 12:00 – Updated: 2024-10-23 10:59
VLAI
Title
IBM CICS Transaction Gateway for Multiplatforms information disclosure
Summary
IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 could disclose sensitive path information to an attacker that could reveal through debugging or error messages.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://https://www.ibm.com/support/pages/node/7145418 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_transferred |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | CICS Transaction Gateway for Multiplatforms |
Affected:
9.2, 9.3
cpe:2.3:a:ibm:cics_transaction_gateway:9.2:*:*:*:*:multiplatforms:*:* cpe:2.3:a:ibm:cics_transaction_gateway:9.3:*:*:*:*:multiplatforms:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T21:01:58.938895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T21:02:04.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://https://www.ibm.com/support/pages/node/7145418"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/273612"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cics_transaction_gateway:9.2:*:*:*:*:multiplatforms:*:*",
"cpe:2.3:a:ibm:cics_transaction_gateway:9.3:*:*:*:*:multiplatforms:*:*"
],
"defaultStatus": "unaffected",
"product": "CICS Transaction Gateway for Multiplatforms",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "9.2, 9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 could disclose sensitive path information to an attacker that could reveal through debugging or error messages."
}
],
"value": "IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 could disclose sensitive path information to an attacker that could reveal through debugging or error messages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T10:59:46.860Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://https://www.ibm.com/support/pages/node/7145418"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM CICS Transaction Gateway for Multiplatforms information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-50311",
"datePublished": "2024-03-31T12:00:11.233Z",
"dateReserved": "2023-12-07T01:29:00.310Z",
"dateUpdated": "2024-10-23T10:59:46.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Use an appropriate security mechanism to protect the credentials.
Mitigation
Phase: Architecture and Design
Description:
- Make appropriate use of cryptography to protect the credentials.
Mitigation
Phase: Implementation
Description:
- Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-474: Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.