CVE-2019-15802

MEDIUM Year: 2019
CVSS v3 Score
5.9
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-798
View all →

Vulnerability Description

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware.

Related Vulnerabilities

CVE-2015-7276

MEDIUM
CVSS:5.9(Medium)

Technicolor C2000T and C2100T uses hard-coded cryptographic keys.

CWE-7982015

CVE-2018-12240

MEDIUM
CVSS:5.9(Medium)

The Norton Identity Safe product prior to 5.3.0.976 may be susceptible to a privilege escalation issue via a hard coded IV, which is a type of vulnerability that can potentially increase the likelihoo...

CWE-7982018

CVE-2018-16546

MEDIUM
CVSS:5.9(Medium)

Amcrest networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging kn...

CWE-7982018

CVE-2018-9073

MEDIUM
CVSS:5.9(Medium)

Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised t...

CWE-7982018

CVE-2018-9195

MEDIUM
CVSS:5.9(Medium)

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services...

CWE-7982018

CVE-2019-13399

MEDIUM
CVSS:5.9(Medium)

Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.

CWE-7982019