CVE-2018-15781

DSA-2019-022: Dell Wyse Password Encoder Hard-coded Cryptographic Key Vulnerability

Severity Score

8.0

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Dell Wyse Password Encoder in ThinLinux2 versions prior to 2.1.0.01 contain a Hard-coded Cryptographic Key vulnerability. An unauthenticated remote attacker could reverse engineer the cryptographic system used in the Dell Wyse Password Encoder to discover the hard coded private key and decrypt locally stored cipher text.

El codificador de contraseñas Dell Wyse en ThinLinux2, en versiones anteriores a la 2.1.0.01, contiene una vulnerabilidad de clave criptográfica embebida. Un atacante remoto no autenticado podría emplear ingeniería inversa en el sistema criptográfico empleado en el codificador de contraseñas Dell Wyse para descubrir la clave privada embebida y descifrar el texto cifrado almacenado de forma local.

*Credits: Dell would like to thank Andrew Tierney at Pen Test Partners for reporting this vulnerability.

CVSS Scores

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-23 CVE Reserved
2019-02-13 CVE Published
2023-03-07 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-798: Use of Hard-coded Credentials

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://www.dell.com/support/article/SLN316104	2019-10-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dell Search vendor "Dell"		Wyse Thinlinux Search vendor "Dell" for product "Wyse Thinlinux"				>= 2.0 < 2.1.0.01 Search vendor "Dell" for product "Wyse Thinlinux" and version " >= 2.0 < 2.1.0.01"		-		Affected