CERTVU:491770WebEOC implements weak algorithms to encrypt sensitive information
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
33.5%
Overview
WebEOC uses weak cryptographic algorithms to encrypt sensitive information.
Description
WebEOC is a web-based crisis information management application that provides functions to gather, coordinate, and disseminate information between emergency personnel and Emergency Operations Centers (EOC). WebEOC uses weak algorithms to encrypt sensitive information. The prerequisite information and effort needed to crack the encryption depends on the algorithm being attacked. However, for a skilled attacker, compromising the crypto-system may still a trivial task.
Impact
A remote attacker could recover or derive a private encryption keys, or apply simple cryptanalytic techniques to decipher an encrypted message.
Solution
Upgrade
Version 6.0.2 corrects this vulnerability. According to ESi:
This vulnerability is addressed in 6.0.2 by hashing passwords (using SHA-512) rather than encrypting them.
To obtain WebEOC upgrades, contact ESi Technical Support.
Restrict Access
Restrict access to the WebEOC login pages to only known and trusted users.
Vendor Information
491770
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
ESi __ Affected
Updated: June 21, 2005
Status
Affected
Vendor Statement
This vulnerability is addressed in version 6.0.2.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23491770 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:–/AC:–/Au:–/C:–/I:–/A:– |
| Temporal | 0 | E:ND/RL:ND/RC:ND |
| Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://www.esi911.com/esi/products/webeoc.shtml>
- <http://www.esi911.com/esi/support/support.htm>
Acknowledgements
This document is based on technical analysis by IOActive and additional information from ESi. Thanks also to the City of Seattle for bringing this to our attention.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-2281 |
|---|---|
| Severity Metric: | 2.13 Date Public: |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
33.5%