CVE-2024-1040 - OpenCVE

Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gesslergmbh	Web-master Web-master Firmware

Configuration 1 [-]

AND

cpe:2.3:o:gesslergmbh:web-master_firmware:7.9:*:*:*:*:*:*:*

cpe:2.3:h:gesslergmbh:web-master:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-02-01T21:41:08.954Z

Updated: 2024-08-01T18:26:30.400Z

Reserved: 2024-01-29T15:59:59.954Z

Link: CVE-2024-1040

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-02-01T22:15:55.717

Modified: 2024-02-07T17:11:40.623

Link: CVE-2024-1040

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1040", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-01-29T15:59:59.954Z", "datePublished": "2024-02-01T21:41:08.954Z", "dateUpdated": "2024-08-01T18:26:30.400Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WEB-MASTER", "vendor": "Gessler GmbH", "versions": [{"status": "affected", "version": "7.9"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Felix Eberstaller and Nino F\u00fcrthauer of Limes Security reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.</span>\n\n</span>\n\n"}], "value": "\n\n\nGessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "description": "USE OF WEAK HASH CWE-328", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-01T21:41:08.954Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Gessler GmbH recommends updating EZ2 to 3.2 or greater and WebMaster to 4.4 or greater to mitigate these vulnerabilities. Updates have to be applied by Gessler GmbH technicians. For more information contact </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.gessler.de/en/contact-us/\">Gessler GmbH</a><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n<br>"}], "value": "\nGessler GmbH recommends updating EZ2 to 3.2 or greater and WebMaster to 4.4 or greater to mitigate these vulnerabilities. Updates have to be applied by Gessler GmbH technicians. For more information contact Gessler GmbH https://www.gessler.de/en/contact-us/ .\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Use of weak hash in Gessler GmbH WEB-MASTER ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.400Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gesslergmbh:web-master_firmware:7.9:*:*:*:*:*:*:*", "matchCriteriaId": "DD89F461-9389-4CBE-AC15-790CF72EAE11", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gesslergmbh:web-master:-:*:*:*:*:*:*:*", "matchCriteriaId": "DA32B59C-2591-443B-9AA1-E42B7A3B7BDF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\n\nGessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.\n\n\n\n"}, {"lang": "es", "value": "La cuenta de usuario de Gessler GmbH WEB-MASTER se almacena mediante un algoritmo hash d\u00e9bil. El atacante puede restaurar las contrase\u00f1as rompiendo los hashes almacenados en el dispositivo."}], "id": "CVE-2024-1040", "lastModified": "2024-02-07T17:11:40.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-02-01T22:15:55.717", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-328"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}