cryptctl: client side password hashing is equivalent to clear text password storage
CVE-2019-18906

9.8CRITICAL

Key Information:

Vendor: Suse
Status: Suse Linux Enterprise Server For SAP 12-sp5; Suse Manager Server 4.0
Vendor: CVE Published:; 30 June 2021

Summary

A Improper Authentication vulnerability in cryptctl of SUSE Linux Enterprise Server for SAP 12-SP5, SUSE Manager Server 4.0 allows attackers with access to the hashed password to use it without having to crack it. This issue affects: SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl versions prior to 2.4. SUSE Manager Server 4.0 cryptctl versions prior to 2.4.

Affected Version(s)

SUSE Linux Enterprise Server for SAP 12-SP5 cryptctl < 2.4

SUSE Manager Server 4.0 cryptctl < 2.4

References

https://bugzilla.suse.com/show_bug.cgi?id=1186226

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 30, 2021
Vulnerability Reserved
Nov 12, 2019

Credit

Malte Kraus of SUSE