SMC authentication bruteforce

SMC authentication bruteforce

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2019-022		05/09/2019	high	v2

Vulnerability details

An attacker can log in trying quickly large amount of passwords.

Impacted products

Products	Severity	Detail
Stormshield Network Security	high	fixed

Revisions

Version	Date	Description
v1		Initial release
v2	2019-11-22	Improve analysis presentation

Stormshield Network Security

CVSS v2 Overall Score: 8.3

Analysis	Impacted version
Each failed login triggers a log emission with message “Authentication failed. Invalid credentials” and level “warning”.	SMC 1.0.0 to 2.6.1

Workaround solution	Solution
Use unpredictable passwords.	The 2.6.2 update will fix this vulnerability.

Access vector	Access complexity	Authentication	Confidentiality impact	Integrity impact	Availability impact
Network	Medium	None	Complete	Partial	Partial

CVSS Base score: 8.3	CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:P/A:P)

Exploitability	Remediation Level	Report Confidence
High	Official fix	Confirmed

CVSS Temporal score: 7.2	CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:P/A:P/E:H/RL:OF/RC:C)

Collateral Damage Potential	Target Distribution
Medium-High	High [76-100%]

CVSS Environmental score: 8.3	CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:P/A:P/E:H/RL:OF/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)

RSS Feed Contact Report a vulnerability Legal terms STORMSHIELD Corporate website Personal Data