Problem:
The passwords stored in the Connection Suite database are MD5 security-hashed without salt. This makes commonly used passwords relatively easy to brute force through look-up tables.
Back when this software was designed, MD5 was considered a state-of-the-art security hash. Dualog Connection Suite is an extremely complex software, with many different applications that all rely on these passwords. Changing the password hash is very difficult and needs a thorough analysis. Ideally, all vessel installations must update their software at the exact same time to achieve this, or else their application will fail without the possibility to verify the password. This is not an option, and we cannot update all our software portfolio in one go as well. That said, we are working on finding a fix for the MD5 hash problem.
Workaround:
The best option, for now, is having hard to guess long passwords, as an MD5 attack still needs to brute-force your password. Longer passwords are more secure than shorter passwords. We recommend creating passwords that are more than 10 characters long and contain a mix of letters, numbers and special characters.
You should note, however, that the MD5 security hash is only an issue if the hacker already has access to the ship’s Connection Suite database. They need to gain access to the stored MD5 hash in the database to initiate the brute force attack on it.
Source:
This vulnerability was found by PenTestPartners (PTP) during a random security testing.
Comments
Article is closed for comments.