Security Advisory IBA-2022-03
Credentials stored in plaintext
| Publishing Date: | 2022-04-12 |
| Last Update: | 2022-04-12 |
| Tracking ID: | IBA-2022-03 |
| CVSS Base Score: | 6.1 |
| CVSS v3 Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
Summary
If an attacker got ahold of configuration files he was able to read credentials for the ibaPDA SNMPv3 server because they were stored in plaintext.
Affected products
ibaPDA
All versions prior to v7.3.13
How do I know that I'm affected
Check the version number in the title of the status application on the system where the server is running.
Customer Actions
If the built-in ibaPDA SNMP server is used to monitor the system, please update to ibaPDA v7.3.13 or higher and change credentials used by the SNMP server.
Inform the department that is in charge of the monitoring system about the changed credentials so they can be adjusted accordingly.
Technical Details
Issue
SNMPv3
In the SNMPConfig section of the IO configuration the Password and the EncryptionKey were stored in plaintext.
Acknowledgements
Shell Marine Risk Team
Shell CyberDefence & Risk Operations Penetration Testing team
Christian EP. Wiedemer from Aspin Kemp & Associates Inc.
iba AG recognizes the efforts of those in the security community who help us to improve the security posture of the products and protect customers
Timeline
| 2022-03-21 | Notified by Aspin Kemp & Associates Inc. |
| 2022-04-12 | New ibaPDA version released |
| 2022-04-12 | Security advisory published |