5.9
CVE-2019-15802
- EPSS 0.29%
- Veröffentlicht 14.11.2019 21:15:11
- Zuletzt bearbeitet 21.11.2024 04:29:29
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zyxel ≫ Gs1900-8 Firmware Version < 2.50\(aahh.0\)c0
Zyxel ≫ Gs1900-8hp Firmware Version < 2.50\(aahi.0\)c0
Zyxel ≫ Gs1900-10hp Firmware Version < 2.50\(aazi.0\)c0
Zyxel ≫ Gs1900-16 Firmware Version < 2.50\(aahj.0\)c0
Zyxel ≫ Gs1900-24e Firmware Version < 2.50\(aahk.0\)c0
Zyxel ≫ Gs1900-24 Firmware Version < 2.50\(aahl.0\)c0
Zyxel ≫ Gs1900-24hp Firmware Version < 2.50\(aahm.0\)c0
Zyxel ≫ Gs1900-48 Firmware Version < 2.50\(aahn.0\)c0
Zyxel ≫ Gs1900-48hp Firmware Version < 2.50\(aaho.0\)c0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.491 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
CWE-798 Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.