CVE-2019-3736 — Storing Passwords in a Recoverable Format in Dell Integrated Data Protection Appliance

CWE-257 — Storing Passwords in a Recoverable Format CWE-327 — Use of a Broken or Risky Cryptographic Algorithm3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 77.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dell Integrated Data Protection Appliance Dell EMC Integrated Data Protection Appliance Firmware

Timeline

PublishedSep 27

Latest updateMay 24

Description

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a password storage vulnerability in the ACM component. A remote authenticated malicious user with root privileges may potentially use a support tool to decrypt encrypted passwords stored locally on the system to use it to access other components using the privileges of the compromised user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5dell/integrated_data_protection_applianceprior to 2.3

▶NVDdell/emc_integrated_data_protection_appliance_firmware2.0, 2.1, 2.2+2

🔴Vulnerability Details

GHSA

GHSA-q7wx-2q75-9872: Dell EMC Integrated Data Protection Appliance versions prior to 2↗2022-05-24

▶

CVEList

CVE-2019-3736: Dell EMC Integrated Data Protection Appliance versions prior to 2↗2019-09-27

▶