Use of a One-Way Hash without a Salt in B. Braun Melsungen AG products - CVE-2020-25164

 

Use of a One-Way Hash without a Salt in B. Braun Melsungen AG products - CVE-2020-25164

Published: October 26, 2020 / Updated: October 26, 2020


Vulnerability identifier: #VU47909
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-25164
CWE-ID: CWE-759
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: B. Braun Melsungen AG
Affected software:
SpaceCom
Data module compact plus
Battery pack with Wi-Fi

Detailed vulnerability description

The vulnerability allows a local attacker to gain access to sensitive information on the system.

The vulnerability exists due to salt is not used for hash calculation of passwords, making it possible to decrypt passwords. A local attacker can recover user credentials of the administrative interface.


How to mitigate CVE-2020-25164

Install updates from vendor's website.

Sources