published on in guff
tags: automize

Pwning Automize Password Encryption

Event Timeline

  • 13/12/16 Vulnerabilities Discovered
  • 17/12/16 Vendor Notified: Notified of vulnerabilities, requested channel for secure comms (no reply).
  • 17/12/16 CVEs Requested
  • xx/xx/xx Contact Vendor again
  • xx/xx/xx Reply from Vendor: Not really interested - suggested to implement mitigating network defenses to prevent server hosting Automize being from compromised.
  • 03/01/17 CVEs Assigned
  • xx/xx/xx Update to Vendor: Provided CVE details and final confirmation of any plans to fix.
  • xx/xx/xx Reply from Vendor: Added to wishlist for 12.x, but no plans to issue a patch for older versions.
  • 14/01/17 Public Disclosure

CVE IDs

  • CVE-2016-10101
  • CVE-2016-10102
  • CVE-2016-10103
  • CVE-2016-10104

Shoutouts

  • sizzop - he knows why :)
  • CVE Assignment Team for accepting these requests, even though this vendor normally out of scope.