cryptctl: client side password hashing is equivalent to clear text password storage

CVE-2019-18906

9.8CRITICAL

Key Information

Vendor: Suse
Status: Suse Linux Enterprise Server For SAP 12-sp5; Suse Manager Server 4.0
Vendor: CVE Published:; 30 June 2021

Summary

A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it. This issue affects: SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4. SUSE Manager Server 4.0 cryptctl versions prior to 2.4.

Affected Version(s)

SUSE Linux Enterprise Server for SAP 12-SP5 < 2.4

SUSE Manager Server 4.0 < 2.4

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jun 30, 2021
Vulnerability Reserved.
Nov 12, 2019

Collectors

NVD DatabaseMitre Database

Credit

Malte Kraus of SUSE