CVE-2021-32997

25.05.2022, 14:15

The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
icscert	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Vendor	Product	Version
bakerhughes	bentley_nevada_3500_system_1_6.x_\(3060\/00\)_firmware	𝑥 ≤ 6.98
bakerhughes	bentley_nevada_3500_system_1_\(3072\/xx\)_firmware	𝑥 < 21.1
bakerhughes	bentley_nevada_3500_system_1_\(3072\/xx\)_firmware	21.1
bakerhughes	bentley_nevada_3500_system_1_\(3071\/xx\)_firmware	𝑥 < 21.1
bakerhughes	bentley_nevada_3500_system_1_\(3071\/xx\)_firmware	21.1
bakerhughes	bentley_nevada_3500\/22m_\(288055-01\)_firmware	𝑥 ≤ 5.05
bakerhughes	bentley_nevada_3500_rack_configuration_\(129133-01\)_firmware	𝑥 ≤ 6.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-916 - Use of Password Hash With Insufficient Computational Effort
The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02