Vulnerabilities > CVE-2021-32997 - Use of Password Hash With Insufficient Computational Effort vulnerability in Bakerhughes products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

bakerhughes

CWE-916

NVD

Published: 2022-05-25

Updated: 2022-06-14

Summary

The affected Baker Hughes Bentley Nevada products (3500 System 1 6.x, Part No. 3060/00 versions 6.98 and prior, 3500 System 1, Part No. 3071/xx & 3072/xx versions 21.1 HF1 and prior, 3500 Rack Configuration, Part No. 129133-01 versions 6.4 and prior, and 3500/22M Firmware, Part No. 288055-01 versions 5.05 and prior) utilize a weak encryption algorithm for storage and transmission of sensitive data, which may allow an attacker to more easily obtain credentials used for access.

Vulnerable Configurations

Part	Description	Count
OS	Bakerhughes Bakerhughes Bentley Nevada 3500 System 1 6.X (3060/00) Firmware * Bakerhughes Bentley Nevada 3500 System 1 (3072/Xx) Firmware * Bakerhughes Bentley Nevada 3500 System 1 (3072/Xx) Firmware 21.1 Bakerhughes Bentley Nevada 3500 System 1 (3071/Xx) Firmware * Bakerhughes Bentley Nevada 3500 System 1 (3071/Xx) Firmware 21.1 Bakerhughes Bentley Nevada 3500/22M (288055 01) Firmware * Bakerhughes Bentley Nevada 3500 Rack Configuration (129133 01) Firmware *	7
Hardware	Bakerhughes Bakerhughes Bentley Nevada 3500 System 1 6.X (3060/00) - Bakerhughes Bentley Nevada 3500 System 1 (3072/Xx) - Bakerhughes Bentley Nevada 3500 System 1 (3071/Xx) - Bakerhughes Bentley Nevada 3500/22M (288055 01) - Bakerhughes Bentley Nevada 3500 Rack Configuration (129133 01) -	5

Common Weakness Enumeration (CWE)

CWE-916 - Use of Password Hash With Insufficient Computational Effort

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-231-02