CVE-2017-7306

04.04.2017, 16:59

Riverbed RiOS through 9.6.0 has a weak default password for the secure vault, which makes it easier for physically proximate attackers to defeat the secure-vault protection mechanism by leveraging knowledge of the password algorithm and the appliance serial number. NOTE: the vendor believes that this does not meet the definition of a vulnerability. The product contains correct computational logic for supporting arbitrary password changes by customers; however, a password change is optional to meet different customers' needs

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.4 MEDIUM	PHYSICAL	HIGH	NONE	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CISA-ADP	ADP	6.4 MEDIUM	PHYSICAL	HIGH	NONE	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Vendor	Product	Version
riverbed	rios	𝑥 ≤ 9.6.0

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-521 - Weak Password Requirements
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

References

http://seclists.org/fulldisclosure/2017/Feb/25

https://supportkb.riverbed.com/support/index?page=content&id=S30065

http://seclists.org/fulldisclosure/2017/Feb/25

https://supportkb.riverbed.com/support/index?page=content&id=S30065