TID-329: Improper Password Storage

Threat Description

If a device stores passwords in an unsafe manner (e.g., in a cleartext file with no read restrictions) it may be possible for threat actors to retrieve system or user account passwords for that device. Threat actors can then use obtained passwords to increase their privileges and perform actions on the device or move laterally to other systems. Unsafe storage techniques can include storing passwords in cleartext, encrypting instead of hashing passwords, using weak hashing algorithms, or not using salted hashes.

Threat Maturity and Evidence

Known Exploitable Weakness
D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability “The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information.”

CWE

CWE-257: Storing Passwords in a Recoverable Format
“The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.”

CVE

Siemens S7-1200 Insecure Storage of HTTPS CA Certificate - CVE-2012-3037
“The certificate authority (CA) for HTTPS connections, which is installed on Siemens SIMATIC S7-1200 PLC, stores its private key insecurely. This key is used for signing certificates. Once this key is obtained, an attacker may create a forged certificate. This can then be used to complete a Man-in-the-Middle attack on a browser that already trusts this device’s CA.”