CVE-2020-26550: Vulnerability Analysis & Exploit Details

CVE-2020-26550 Vulnerability Summary

An issue was discovered in Aviatrix Controller before R5.3.1151. An encrypted file containing credentials to unrelated systems is protected by a three-character key.

CVE-2020-26550: Detailed Information and External References

EPSS

0.00784

EPSS %

0.81465

References

0.00784

• https://www.criticalstart.com/multiple-vulnerabilities-discovered-in-aviatrix/

CWE

CWE-330

CAPEC

0.00784

• Brute Force: In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
• Signature Spoofing by Key Recreation: An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
• Session Credential Falsification through Prediction: This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Vulnerable Configurations

• cpe:2.3:a:aviatrix:controller:5.3.1516:*:*:*:*:*:*:*
  cpe:2.3:a:aviatrix:controller:5.3.1516:*:*:*:*:*:*:*

CVSS3 Source

nvd@nist.gov

CVSS3 Type

Primary

CVSS3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N