Integria IMS incorrect authorization

Publication date:

10/06/2021

Importance:

3 - Media

Affected resources:

Integria IMS version 5.0.92.

Description:

INCIBE has coordinated the publication of a vulnerability in Integria IMS, with the internal code INCIBE-2021-0405, which has been discovered by @nag0mez (special mention to @_Barriuso).

CVE-2021-3833 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Solution:

This vulnerability has been solved in Integria IMS 5.0 93.

Detail:

Integria IMS login check uses a loose comparator ("==") to compare the MD5 hash of the password provided by the user and the MD5 hash stored in the database.

An attacker with a specific formatted password could exploit this vulnerability in order to login in the system with different passwords.

This vulnerability has been solved in Integria IMS 5.0 93.

CWE-863: Incorrect Authorization.

TIMELINE:

08/04/2021 - Researchers discovery.
09/04/2021 - Researchers contact with INCIBE.
20/05/2021 - Integria IMS confirms that the fix version and the release software patch have been published (Security Patch).
06/10/2021 - The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

References:

Updates

Tags:

Corporate access

Integria IMS incorrect authorization

Múltiples vulnerabilidades en router Netgear Orbi

Múltiples vulnerabilidades en productos Aspera Faspex de IBM

Múltiples vulnerabilidades en Moodle

Vulnerabilidades 0day en chipsets Exynos de Samsung

Múltiples vulnerabilidades en el core de Drupal