PT-2022-17533 · Igel · Igel Universal Management Suite

Nick Nam

Published

2022-06-09

Updated

2022-06-17

CVE-2022-25807

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions IGEL Universal Management Suite (UMS) version 6.07.100

Description An issue was discovered in the IGEL Universal Management Suite (UMS) where a hardcoded DES key in the LDAPDesPWEncrypter class allows an attacker to decrypt encrypted LDAP bind credentials using a static 8-byte DES key, if the attacker has discovered these credentials.

Recommendations For IGEL Universal Management Suite (UMS) version 6.07.100, consider disabling the LDAPDesPWEncrypter class until a patch is available to prevent the decryption of encrypted LDAP bind credentials.

Exploit

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2022-25807

Affected Products

Igel Universal Management Suite

PT-2022-17533 · Igel · Igel Universal Management Suite

CVE-2022-25807

Weakness Enumeration

Related Identifiers

Affected Products

References · 5