Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues

🗓️ 12 Oct 2015 00:00:00Reported by Matthias DeegType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Password Safe and Repository Enterprise 7.4.4 Build 2247 Crypto Issues - Insufficiently Protected Credential

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2015-037  
Product(s): Password Safe and Repository Enterprise  
Manufacturer: MATESO GmbH  
Affected Version(s): 7.4.4 Build 2247  
Tested Version(s): 7.4.4 Build 2247  
Vulnerability Type: Insufficiently Protected Credentials (CWE-522)  
Use of a One-Way Hash without a Salt (CWE-759)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2015-07-09  
Solution Date: 2015-10-05  
Public Disclosure: 2015-10-12  
CVE Reference: Not yet assigned  
Author of Advisory: Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Password Safe and Repository Enterprise is a password management  
software for companies with many features.  
  
The manufacturer MATESO GmbH describes the product as follows (see [1]):  
  
"Manage your passwords in the company according to your security needs!  
Features such as password policies, multi-eyes principle, workflow and  
task system makes management productive and safe.  
  
The integrated rights management system with data transfer option and  
automatic synchronization with Active Directory ensures that your  
employees can only access data which they are entitled to."  
  
Passwords of Password Safe and Repository Enterprise users are stored  
as raw, unsalted MD5 hash values and thus are insufficiently protected  
from attackers with access to the password management software database.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH found out that user passwords are stored as raw, unsalted  
MD5 hash values in the table tdUsers of the databases of the password  
management software Password Safe and Repository Enterprise.  
  
The use of a cryptographic one-way hash function MD5 without using a   
salt for storing sensitive data like user passwords allows an attacker  
with access to this data to perform efficient password guessing attacks  
using pre-computed dictionaries, for instance rainbow tables.  
  
The vulnerability concerning the insecure storage of user password  
information as raw, unsalted MD5 hash values affects both the online and  
the offline mode of the password management software.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
When using the change password functionality, the following SQL  
statement is used for storing the raw, unsalted MD5 hash value of the  
new login password in the database table tdUsers:  
  
UPDATE tdUsers SET LoginPassword = 'ef2eb17e3a46818e63bf209aa58da9aa',  
LastLogin = julianday('<DATE>'), LastPasswordChange = julianday('<DATE>'),  
ChangeDate = julianday('<DATE>'), LastPasswords =   
'9e96559b23ad93f0b8990539331441ca' WHERE ID = 2  
  
In this example, the password "Passw0rd2015" was set, as the following  
output shows:  
  
$ echo -n "Passw0rd2015" | md5sum  
ef2eb17e3a46818e63bf209aa58da9aa -  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to information by the MATESO GmbH, the described security  
issue has been fixed in the software version 7.5.0.2255 that was  
released on October 5, 2015.  
  
Please contact the manufacturer for further information or support.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2015-07-09: Vulnerability reported to manufacturer  
2015-07-09: Manufacturer acknowledges e-mail with SySS security advisory   
2015-07-30: Scheduling of the publication date in agreement with the  
manufacturer  
2015-10-02: Rescheduling of the publication date in agreement with the  
manufacturer  
2015-10-12: Public release of security advisory on agreed publication  
date  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product Web Site for Password Safe and Repository Enterprise   
http://www.passwordsafe.de/en/products/business/enterprise-edition.html  
[2] SySS Security Advisory SYSS-2015-037  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-037.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Matthias Deeg of the SySS GmbH.  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJWG199AAoJENmkv2o0rU2rkc8QAKuatN3RbHAJJeqY5VadS8yy  
vU3Zk0J3m/cb8i17zXPF3w52GixMWibSUFkQ4+6m5JniWtOLbf6W9XVsZt6kFRTJ  
XEGFyxoHtFqpTLqg0f81s4UTRK/9vFz3LOKpEV34zuQm+worurXnodH8N6gdIY2A  
ndUTPGtbRTpwbpbJbAYU2BFbQWQy2hNFWKYldq6efB81nlkCniZlAlN1wDi/QBWm  
QeTgiM5gZf/+UxKvUeqPu3sEvkHsXse1BlwxJo6aNLfPUZBSFP0JWtBx8wGRDFx8  
RXjtGweJGC0vxzQSodpfZe26OH1wAJF6DXFgSyQ420+B2JlZlr6VhMJLTgNFpdUd  
K+KBCYLif1fUmWn0qUT4bDd/7Dib+b1QfNDYejqlI2IsbEfBaww976p4HXNCMvN9  
Gjf6vGAIACg4yrqvWJNzW6Q7nUph6xneIXzwoC7iZJC07ypO+9MMElPO5gG/SSn5  
ei49qDazFyHvwEySEfFWXdeFzS+PSypmqnHjSz1sHjwcOUnsc+sb2CHdHH1eq8vG  
zdav6XwPy91n1eyzizdkEIA1L5XhWlQc4eS741xXP/fAOKxqM20AVok0PZA1sJfj  
XDmUAVyki96vvF/Mypfg0ijzXl+RFuxx0bBd2RbtWA3GpaAOmuWBtU50TvXf7N8j  
meuv9Es9GmY2qM7YcUIK  
=I6jb  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Oct 2015 00:00Current
7.4High risk
Vulners AI Score7.4
password saferepository enterprisemateso gmbhinsufficiently protected credentialsmd5 hashsecurity advisorysyss gmbhdatabase vulnerability
32