| Vulnerability Name: | CCN-12048 |
| Published: | 2003-05-22 |
| Updated: | 2003-05-22 |
| Summary: | Microsoft Windows 2000 and Windows Server 2003 use a weak password encryption algorithm that could allow a local attacker to obtain user passwords. Microsoft Windows 2000 and Windows Server 2003 support LAN Manager (LM) authentication, in addition to the Windows NT authentication (NTLM) and NTLM version 2 (NTLMv2).
For a password containing fewer than 15 characters, Windows, by default, generates both a LM hash and a NT hash, storing them in either the local Security Account Manager (SAM) database or in Active Directory. As with the later NT authentication mechanisms, LM authentication stores a user account password in an encrypted representation known as a 'hash'. The LM hash, however, is relatively weak compared to the NT hash. A local attacker can use this vulnerability to obtain user passwords using brute force password cracking techniques. |
| CVSS v3 Severity: | |
| CVSS v2 Severity: | |
| Vulnerability Consequences: | Gain Access |
| References: | Source: XF Type: UNKNOWN win-weak-password-encryption(12048) Source: CCN Type: Microsoft Knowledge Base Article 299656 New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager |
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable |
| BACK | |