#VU46986 Use of a One-Way Hash without a Salt in APM Classic - CVE-2020-16244

Cybersecurity Help s.r.o.

Published: 2020-09-23

Vulnerability identifier: #VU46986

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-16244

CWE-ID: CWE-759

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
APM Classic
Server applications / Other server solutions

Vendor: GE Digital

Description

The vulnerability allows a remote user to gain access to sensitive information on the system.

The vulnerability exists due to salt is not used for hash calculation of passwords, making it possible to decrypt passwords. A remote administrator can retrieve all user account data and then retrieve the actual passwords.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

APM Classic: 4.4

External links
https://ics-cert.us-cert.gov/advisories/icsa-20-266-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in GE Digital APM Classic