Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2017-6528

Disclosure Date: March 09, 2017
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affected by plaintext password storage (the /home/dna/spool/.pfile file).

Add Assessment

2
Ratings
Technical Analysis

/home/dna/spool/.pfile is the database file for users. It is a tab delimited file, and by default passwords are kept in cleartext. An option is available to hash the passwords (MD5 I believe), however it is not the default. The configuration we found in live tested included several admin accounts for the software developer. No patch was available or would be created when the developer was notified.

General Information

Additional Info

Technical Analysis