USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916

Vulnerability

GateManager versions prior to 9.2c use a password hash with insufficient computational effort (CWE-916) [1]. This weak hash type makes stored user passwords vulnerable to offline cracking. No special configuration is required; the weak hashing is the default mechanism for password storage.

Exploitation

An attacker with network access and no authentication can exploit this vulnerability [1]. The attacker first obtains the password hash database, likely through another vulnerability such as CVE-2020-14500 (remote code execution) or CVE-2020-14508 (off-by-one error) also present in the same product [1]. Once the hashes are obtained, the attacker can perform offline cracking with low skill level to recover plaintext passwords [1].

Impact

Successful exploitation allows the attacker to view user passwords, leading to a high confidentiality impact [1]. The attacker can obtain passwords of any user, including administrative accounts, potentially enabling further compromise of the system or other systems where passwords are reused. There is no integrity or availability impact from this specific vulnerability [1].

Mitigation

Secomea has released GateManager version 9.2c to address this vulnerability [1]. All users should upgrade to 9.2c or later. No workarounds are documented. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.