5.9 CVE-2017-7537

Brute Force Patch Exploit

It was found that a mock CMC authentication plugin with a hardcoded secret was accidentally enabled by default in the pki-core package before 10.6.4. An attacker could potentially use this flaw to bypass the regular authentication process and trick the CA server into issuing certificates.
https://nvd.nist.gov/vuln/detail/CVE-2017-7537

Categories

CWE-592 : DEPRECATED: Authentication Bypass Issues
This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

CWE-798 : Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key. Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code. Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods. This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed. For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key. If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection. Condition Monitor firmware has a maintenance interface with hard-coded credentials Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation Distributed Control System (DCS) has hard-coded passwords for local shell access Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288] Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port Installation script has a hard-coded secret token value, allowing attackers to bypass authentication SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm FTP server library uses hard-coded usernames and passwords for three default accounts Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code Server uses hard-coded authentication key Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface Security appliance uses hard-coded password allowing attackers to gain root access Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs VoIP product uses hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system

References

af854a3a-2127-422b-91ae-364da2661108 Patch Exploit

https://access.redhat.com/errata/RHSA-2017:2335 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537 Exploit Issue Tracking Patch Third Party Advisory
https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9 Patch Third Party Advisory

secalert@redhat.com Patch Exploit

https://access.redhat.com/errata/RHSA-2017:2335 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537 Exploit Issue Tracking Patch Third Party Advisory
https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9 Patch Third Party Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
Configuration 2
cpe:2.3:a:dogtagpki:dogtagpki::::::::		< 10.6.4

REMEDIATION

Patch

Url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537
https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537
https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7537

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
191	Read Sensitive Constants Within an Executable	Low
70	Try Common or Default Usernames and Passwords An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.	High

MITRE

Techniques

id	description
T1078.001	Valid Accounts:Default Accounts
T1552.001	Unsecured Credentials:Credentials in files
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
T1078.001	Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.
T1552.001	Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee