CVE-2019-3700 in yast2-security
Summary
by MITRE
yast2-security didn't use secure defaults to protect passwords. This became a problem on 2019-10-07 when configuration files that set secure settings were moved to a different location. As of the 20191022 snapshot the insecure default settings were used until yast2-security switched to stronger defaults in 4.2.6 and used the new configuration file locations. Password created during this time used DES password encryption and are not properly protected against attackers that are able to access the password hashes.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/26/2024
The vulnerability described in CVE-2019-3700 represents a critical security flaw in the yast2-security package used in openSUSE systems, fundamentally compromising password protection mechanisms through improper default configuration management. This issue emerged from a seemingly routine configuration file relocation that inadvertently introduced a significant security regression. The yast2-security package is a core component responsible for system security configuration management, particularly handling password policies and encryption settings. When the configuration files containing secure default settings were moved to a different location on October 7, 2019, the package failed to properly reference these new locations, resulting in the system reverting to insecure default configurations that had been previously deprecated for security reasons.
The technical flaw stems from a failure in configuration file discovery and management within the yast2-security package, which falls under CWE-706 Use of Incorrectly-Resolved Name or Reference. The package's inability to properly locate and apply the new configuration file locations created a scenario where system administrators and users were unknowingly subjected to weak password encryption standards. During the period between October 7, 2019, and the release of version 4.2.6 on October 22, 2019, all passwords created through the system were subjected to DES encryption, which is inherently vulnerable to modern cryptographic attacks due to its weak hashing algorithm and limited entropy. This represents a classic case of insecure default configuration that violates security best practices and directly impacts the system's overall security posture.
The operational impact of this vulnerability extends far beyond simple password encryption weakness, as it created a window of opportunity for attackers to compromise user accounts and system integrity. The DES encryption used during this period is susceptible to rainbow table attacks and brute force methods, making password recovery significantly easier for threat actors with access to password hash collections. This vulnerability directly maps to ATT&CK technique T1110.001 Brute Force: Password Guessing and T1110.003 Credential Access: Brute Force, as the weak encryption significantly reduces the time and computational resources required to crack password hashes. The affected systems were particularly vulnerable because they used a deprecated encryption method that had already been identified as insecure by the cryptographic community, with DES being considered cryptographically broken since the 1990s. Organizations running affected systems during this period faced increased risk of credential compromise, privilege escalation, and potential system-wide infiltration through compromised user accounts.
The mitigation strategy for CVE-2019-3700 requires immediate remediation through software updates to version 4.2.6 or later, which properly implements the new configuration file locations and re-establishes secure default settings. System administrators should conduct comprehensive password audits to identify and reset any passwords created during the vulnerable period, particularly focusing on accounts with elevated privileges. The fix addresses the root cause by ensuring proper configuration file discovery mechanisms and restoring secure default password encryption policies. Organizations should also implement monitoring for unauthorized configuration changes and establish automated patch management processes to prevent similar issues. This vulnerability highlights the critical importance of proper configuration management and the potential for seemingly minor changes to introduce significant security regressions, reinforcing the need for thorough testing of security-related configuration changes and adherence to security baseline standards such as those defined in the CIS Controls and NIST SP 800-53 security controls.