PT-2022-17532 · Igel · Igel Universal Management Suite

Nick Nam

Published

2022-06-09

Updated

2022-06-17

CVE-2022-25806

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions IGEL Universal Management Suite (UMS) version 6.07.100

Description An issue was discovered in the IGEL Universal Management Suite (UMS) where a hardcoded DES key in the PrefDBCredentials class allows an attacker to decrypt superuser credentials using a static 8-byte DES key, if the attacker has already discovered the encrypted credentials.

Recommendations For IGEL Universal Management Suite (UMS) version 6.07.100, consider disabling the PrefDBCredentials class until a patch is available to prevent potential exploitation. Restrict access to superuser credentials to minimize the risk of decryption by an attacker.

Exploit

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2022-25806

Affected Products

Igel Universal Management Suite

PT-2022-17532 · Igel · Igel Universal Management Suite

CVE-2022-25806

Weakness Enumeration

Related Identifiers

Affected Products

References · 5