Use of Insufficiently Random Values

CVE-2019-13603

Medium

5.9/10

Summary

An issue was discovered in the HID Global DigitalPersona (formerly Crossmatch) U.are.U 4500 Fingerprint Reader Windows Biometric Framework driver 5.0.0.5. It has a statically coded initialization vector to encrypt a user's fingerprint image, resulting in weak encryption of that. This, in combination with retrieving an encrypted fingerprint image and encryption key (through another vulnerability), allows an attacker to obtain a user's fingerprint image.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References

Advisory Timeline

Published Jul 16, 2019

Use of Insufficiently Random Values

CVE-2019-13603

Summary

CWE-330 - Use of Insufficiently Random Values

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS