إرسال #383223: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-757: Selection of Less-Secure Algorithm During Negotiation (المعلومات

عنوانHorizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-757: Selection of Less-Secure Algorithm During Negotiation (
الوصفNOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38883: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to perform a Drop Encryption Level attack due to the selection of a less-secure algorithm during negotiation. Vulnerability Type: CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-620: Drop Encryption Level Vulnerability Summary: Caterease Software does not enforce encryption during the TDS7 PreLogin authentication sequence, making it susceptible to a downgrade attack. Attackers can intercept the initial handshake between the Caterease Software client and the SQL server and manipulate the server's response to indicate that encryption is not supported. As a result, the client will proceed to send sensitive information, including database credentials, in plaintext over the network. By exploiting this vulnerability, attackers can capture the unencrypted credentials and use them to gain unauthorized access to the SQL database. This exposure not only compromises the confidentiality of the credentials but also allows attackers to read, modify, or delete database records, leading to significant data breaches and integrity issues. CVSS Base Score: Critical Risk - 9.3 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Changed Impact Metrics Confidentiality (C): High Integrity (I): High Availability (A): None
المستخدم
 jTag Labs (UID 51246)
ارسال30/07/2024 04:53 PM (2 سنوات منذ)
الاعتدال01/08/2024 02:14 PM (2 days later)
الحالةتمت الموافقة
إدخال VulDB273367 [Horizon Business Services Caterease حتى 24.0.1.2405 TDS7 PreLogin Authentication تشفير ضعيف]
النقاط17

Want to know what is going to be exploited?

We predict KEV entries!