CVE-2021-32997

The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access.

CVSS v3 8.2 HIGH
CVSS v2.0 5.0 MEDIUM

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02	Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_6.x_\(3060\/00\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_6.x_\(3060\/00\):-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3072\/xx\)_firmware::::::::
	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3072\/xx\)_firmware:21.1:-::::::

cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\(3072\/xx\):-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3071\/xx\)_firmware::::::::
	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3071\/xx\)_firmware:21.1:-::::::

cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\(3071\/xx\):-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:bakerhughes:bentley_nevada_3500\/22m_\(288055-01\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bakerhughes:bentley_nevada_3500\/22m_\(288055-01\):-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:bakerhughes:bentley_nevada_3500_rack_configuration_\(129133-01\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bakerhughes:bentley_nevada_3500_rack_configuration_\(129133-01\):-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:08

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02 - Third Party Advisory, US Government Resource
CVSS	v2 : ~~5.0~~ v3 : ~~7.5~~	v2 : 5.0 v3 : 8.2

Information

Published : 2022-05-25 14:15

Updated : 2024-11-21 06:08

NVD link : CVE-2021-32997

Mitre link : CVE-2021-32997

CVE.ORG link : CVE-2021-32997

JSON object : View

Products Affected

bakerhughes

bentley_nevada_3500_system_1_\(3072\/xx\)
bentley_nevada_3500_system_1_6.x_\(3060\/00\)
bentley_nevada_3500_system_1_6.x_\(3060\/00\)_firmware
bentley_nevada_3500_rack_configuration_\(129133-01\)
bentley_nevada_3500_rack_configuration_\(129133-01\)_firmware
bentley_nevada_3500\/22m_\(288055-01\)_firmware
bentley_nevada_3500_system_1_\(3071\/xx\)
bentley_nevada_3500_system_1_\(3072\/xx\)_firmware
bentley_nevada_3500\/22m_\(288055-01\)
bentley_nevada_3500_system_1_\(3071\/xx\)_firmware

CWE

CWE-916

Use of Password Hash With Insufficient Computational Effort

{"id": "CVE-2021-32997", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-05-25T14:15:08.517", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-916"}]}], "descriptions": [{"lang": "en", "value": "The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access."}, {"lang": "es", "value": "Los productos Baker Hughes Bentley Nevada afectados (3500 System 1 6.x, Part No. 3060/00 versiones 6.98 y anteriores, 3500 System 1, Part No. 3071/xx & 3072/xx versiones 21.1 HF1 y anteriores, 3500 Rack Configuration, Part No. 129133-01 versiones 6. 4 y anteriores, y 3500/22M Firmware, Part No. 288055-01 versiones 5.05 y anteriores) usan un algoritmo de cifrado d\u00e9bil para el almacenamiento y la transmisi\u00f3n de datos confidenciales, lo que puede permitir a un atacante obtener m\u00e1s f\u00e1cilmente las credenciales usadas para el acceso"}], "lastModified": "2024-11-21T06:08:05.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_6.x_\\(3060\\/00\\)_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D198966-704F-472F-BDB2-DEEB373BEE97", "versionEndIncluding": "6.98"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_6.x_\\(3060\\/00\\):-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "92AFE33B-7B36-4E47-A3D2-58100666A687"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3072\\/xx\\)_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "329219B4-4D50-4E8D-A031-E94625F75C71", "versionEndExcluding": "21.1"}, {"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3072\\/xx\\)_firmware:21.1:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A12C1C9-8CF6-404E-891B-08AE58DC0918"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\\(3072\\/xx\\):-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1242CC0D-91C8-44E3-B9C9-3AD981AE4516"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3071\\/xx\\)_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE7806D1-8890-45A7-BF24-C352B8AF086A", "versionEndExcluding": "21.1"}, {"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3071\\/xx\\)_firmware:21.1:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2791BCC7-4440-4EF0-965B-9BE892CE94BE"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\\(3071\\/xx\\):-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7A606BE6-A5AE-41F4-997F-07293E30BB8E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500\\/22m_\\(288055-01\\)_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DDD7FD6-0200-43B8-A5C1-AAF5CA75D47E", "versionEndIncluding": "5.05"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bakerhughes:bentley_nevada_3500\\/22m_\\(288055-01\\):-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2A328241-DE36-4822-9D2C-BE96E708B2C1"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_rack_configuration_\\(129133-01\\)_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B40E649D-AE52-49A9-9D96-D39538650C38", "versionEndIncluding": "6.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_rack_configuration_\\(129133-01\\):-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C683EA5A-7C17-4F64-9A7D-F15A5FA9E35A"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}

8.2 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-32997

8.2^/10

5.0^/10

Attach tags to `CVE-2021-32997`