CVE-2022-40258

Weak password hashes for Redfish & API

CVSS 5.3 MEDIUMEPSS 0.4%CWE-916

In short

AMI Megarac uses weak password hashing methods for its Redfish and API interfaces, making stored passwords vulnerable to being cracked if an attacker gains access to the password database. This is important because weak hashes can be quickly broken, allowing attackers to compromise user accounts.

Technical detail

The vulnerability stems from the use of insufficient cryptographic hashing algorithms (CWE-916) for password storage in AMI Megarac's Redfish and API implementations. If an attacker obtains the password hash database through other means (e.g., access to configuration files or database), weak hashes can be rapidly reversed via dictionary or brute-force attacks, leading to account compromise and potential escalation of privileges within the management interface.

Summary generated and translated by AI from the official description.

AMI Megarac Weak password hashes for Redfish & API

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

AMI · MegaRAC SPx-12 AMI · MegaRAC SPx-13

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023001.pdf https://security.netapp.com/advisory/ntap-20230731-0008/