CVE-2019-13022

Name of the Vulnerable Software and Affected Versions: Bond JetSelect (all versions)

Description: The issue lies in the Java class (ENCtool.jar) and the corresponding password generation algorithm used for setting initial passwords during the first installation of Bond JetSelect. This algorithm uses an XOR operation to combine plaintext with the 'encrypted' password, which is then stored in the database. However, this process can be easily reversed, allowing for privilege escalation within the JetSelect application by obtaining the passwords of JetSelect administrators. These administrators have the capability to modify, delete, and alter networking configurations across vessels and managed network devices, including switches and routers.

Recommendations: For Bond JetSelect (all versions), consider disabling the affected Java class (ENCtool.jar) or restricting access to the password generation algorithm until a proper fix is implemented. Additionally, restrict the privileges of JetSelect administrators to minimize potential damage from exploitation. As a temporary workaround, manually change the initial passwords set by the vulnerable algorithm to stronger, unique passwords to reduce the risk of escalation of privilege. At the moment, there is no information about a newer version that contains a fix for this vulnerability.