CVE-2021-32997

The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_6.x_\(3060\/00\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_6.x_\(3060\/00\):-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3072\/xx\)_firmware:21.1:-::::::
	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3072\/xx\)_firmware::::::::

cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\(3072\/xx\):-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3071\/xx\)_firmware:21.1:-::::::
	cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\(3071\/xx\)_firmware::::::::

cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\(3071\/xx\):-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:bakerhughes:bentley_nevada_3500\/22m_\(288055-01\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bakerhughes:bentley_nevada_3500\/22m_\(288055-01\):-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:bakerhughes:bentley_nevada_3500_rack_configuration_\(129133-01\)_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:bakerhughes:bentley_nevada_3500_rack_configuration_\(129133-01\):-:*:*:*:*:*:*:*

Information

Published : 2022-05-25 07:15

Updated : 2022-06-14 06:43

NVD link : CVE-2021-32997

Mitre link : CVE-2021-32997

JSON object : View

CWE

CWE-916

Use of Password Hash With Insufficient Computational Effort

Products Affected

bakerhughes

bentley_nevada_3500_system_1_6.x_\(3060\/00\)
bentley_nevada_3500_system_1_\(3071\/xx\)_firmware
bentley_nevada_3500_rack_configuration_\(129133-01\)_firmware
bentley_nevada_3500_system_1_6.x_\(3060\/00\)_firmware
bentley_nevada_3500\/22m_\(288055-01\)_firmware
bentley_nevada_3500\/22m_\(288055-01\)
bentley_nevada_3500_rack_configuration_\(129133-01\)
bentley_nevada_3500_system_1_\(3071\/xx\)
bentley_nevada_3500_system_1_\(3072\/xx\)_firmware
bentley_nevada_3500_system_1_\(3072\/xx\)

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-916"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-32997", "ASSIGNER": "ics-cert@hq.dhs.gov"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2022-05-25T14:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_6.x_\\(3060\\/00\\)_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.98"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_6.x_\\(3060\\/00\\):-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3072\\/xx\\)_firmware:21.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3072\\/xx\\)_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "21.1"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\\(3072\\/xx\\):-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3071\\/xx\\)_firmware:21.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_system_1_\\(3071\\/xx\\)_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "21.1"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_system_1_\\(3071\\/xx\\):-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500\\/22m_\\(288055-01\\)_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "5.05"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bakerhughes:bentley_nevada_3500\\/22m_\\(288055-01\\):-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:bakerhughes:bentley_nevada_3500_rack_configuration_\\(129133-01\\)_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "6.4"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:bakerhughes:bentley_nevada_3500_rack_configuration_\\(129133-01\\):-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-06-14T13:43Z"}

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-32997

7.5^/10

5.0^/10

Attach tags to `CVE-2021-32997`