Vulnerability CVE-2016-2379

Vulnerability Name:

CVE-2016-2379 (CCN-125858)

Assigned:

2016-06-21

Published:

2016-06-21

Updated:

2017-04-10

Summary:

The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.

CVSS v3 Severity:

8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:W/RC:R)

Exploitability Metrics:	Attack Vector (AV): Adjacent Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

6.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L/E:U/RL:W/RC:R)

Exploitability Metrics:	Attack Vector (AV): Adjacent Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): High Availibility (A): Low

CVSS v2 Severity:

3.3 Low (CVSS v2 Vector: AV:A/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.8 Medium (CCN CVSS v2 Vector: AV:A/AC:H/Au:N/C:P/I:C/A:P)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Complete Availibility (A): Partial

Vulnerability Type:

CWE-326

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2016-2379

Source: BID
Type: Third Party Advisory, VDB Entry
91335

Source: CCN
Type: Talos Vulnerability Report TALOS-2016-0122
PIDGIN MXIT PROTOCOL USER AUTHENTICATION HIJACK VULNERABILITY

Source: MISC
Type: Third Party Advisory
http://www.talosintelligence.com/reports/TALOS-2016-0122/

Source: XF
Type: UNKNOWN
pidgin-cve20162379-weak-security(125858)

Source: CCN
Type: Pidgin Web site
Pidgin

Source: CONFIRM
Type: Vendor Advisory
https://pidgin.im/news/security/?id=95

Source: GENTOO
Type: Third Party Advisory
GLSA-201701-38

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-2379

Vulnerable Configuration:

Configuration 1:

cpe:/a:pidgin:mxit:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:pidgin:pidgin:2.10.11:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201623790000000	V	CVE-2016-2379 on Ubuntu 18.04 LTS (bionic) - low.	2017-03-29
oval:com.ubuntu.artful:def:20162379000	V	CVE-2016-2379 on Ubuntu 17.10 (artful) - low.	2017-03-29
oval:com.ubuntu.trusty:def:20162379000	V	CVE-2016-2379 on Ubuntu 14.04 LTS (trusty) - low.	2017-03-29
oval:com.ubuntu.xenial:def:201623790000000	V	CVE-2016-2379 on Ubuntu 16.04 LTS (xenial) - low.	2017-03-29
oval:com.ubuntu.bionic:def:20162379000	V	CVE-2016-2379 on Ubuntu 18.04 LTS (bionic) - low.	2017-03-29
oval:com.ubuntu.xenial:def:20162379000	V	CVE-2016-2379 on Ubuntu 16.04 LTS (xenial) - low.	2017-03-29
oval:com.ubuntu.disco:def:201623790000000	V	CVE-2016-2379 on Ubuntu 19.04 (disco) - low.	2017-03-29
oval:com.ubuntu.cosmic:def:20162379000	V	CVE-2016-2379 on Ubuntu 18.10 (cosmic) - low.	2017-03-29
oval:com.ubuntu.cosmic:def:201623790000000	V	CVE-2016-2379 on Ubuntu 18.10 (cosmic) - low.	2017-03-29
oval:com.ubuntu.precise:def:20162379000	V	CVE-2016-2379 on Ubuntu 12.04 LTS (precise) - low.	2017-03-29

BACK