CVE-2006-1058

BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://bugs.busybox.net/view.php?id=604	Broken Link
http://secunia.com/advisories/19477	Broken Link Vendor Advisory
http://secunia.com/advisories/25098	Broken Link
http://secunia.com/advisories/25848	Broken Link
http://support.avaya.com/elmodocs2/security/ASA-2007-250.htm	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2007-0244.html	Broken Link
http://www.securityfocus.com/bid/17330	Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/25569	Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9483	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:busybox:busybox:1.1.1:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:avaya:aura_application_enablement_services:4.01:::::::*
	cpe:2.3:a:avaya:aura_application_enablement_services:4.1:::::::*
	cpe:2.3:a:avaya:aura_sip_enablement_services::::::::
	cpe:2.3:a:avaya:message_networking::::::::
	cpe:2.3:a:avaya:messaging_storage_server::::::::

History

No history.

Information

Published : 2006-04-04 10:04

Updated : 2024-02-09 03:05

NVD link : CVE-2006-1058

Mitre link : CVE-2006-1058

CVE.ORG link : CVE-2006-1058

JSON object : View

Products Affected

avaya

messaging_storage_server
aura_sip_enablement_services
message_networking
aura_application_enablement_services

busybox

busybox

CWE

CWE-916

Use of Password Hash With Insufficient Computational Effort

{"id": "CVE-2006-1058", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2006-04-04T10:04:00.000", "references": [{"url": "http://bugs.busybox.net/view.php?id=604", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/19477", "tags": ["Broken Link", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/25098", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/25848", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "http://support.avaya.com/elmodocs2/security/ASA-2007-250.htm", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://www.redhat.com/support/errata/RHSA-2007-0244.html", "tags": ["Broken Link"], "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/17330", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25569", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9483", "tags": ["Broken Link"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-916"}]}], "descriptions": [{"lang": "en", "value": "BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables."}, {"lang": "es", "value": "BusyBox 1.1.1 no utiliza una \"sal\" cuando genera contrase\u00f1as, lo que facilita a usuarios locales adivinar contrase\u00f1as a partir de un fichero de contrase\u00f1as robado usando t\u00e9cnicas como tablas \"rainbow\".\r\n"}], "lastModified": "2024-02-09T03:05:29.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:busybox:busybox:1.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5408DA3E-9CA1-4768-992C-1732A45C4365"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:avaya:aura_application_enablement_services:4.01:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA477675-E93D-41F6-A10C-4B6CFBA97C93"}, {"criteria": "cpe:2.3:a:avaya:aura_application_enablement_services:4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DBE1432-359B-4250-8381-E24511D24B14"}, {"criteria": "cpe:2.3:a:avaya:aura_sip_enablement_services:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CCDF311-E2C3-4AAC-83D1-44938370FBFD", "versionEndExcluding": "5.0"}, {"criteria": "cpe:2.3:a:avaya:message_networking:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D8F6982-2F4D-4D78-92C1-97689D59F3A5"}, {"criteria": "cpe:2.3:a:avaya:messaging_storage_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AEA45A8-8768-4CB4-8996-91D7F7AEC9F5", "versionEndExcluding": "4.0", "versionStartIncluding": "3.0"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187385\n\nThe Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:\nhttp://www.redhat.com/security/updates/classification/\n\nThis issue does not affect Red Hat Enterprise Linux 2.1 or 3.", "lastModified": "2006-09-19T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "secalert@redhat.com"}