Cyber Resilience

CVE-2024-45394

High

Published: 03 September 2024

Published
03 September 2024
Modified
09 October 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0004 11.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45394 is a high-severity Weak Encoding for Password (CWE-261) vulnerability in Authenticator Authenticator. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data…

more

are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

authenticator
authenticator
≤ 8.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-327 CWE-326

Ongoing education and sharing of recommended practices helps organizations identify and migrate away from broken or risky cryptographic algorithms.

addresses: CWE-327 CWE-326

Risk updates surface newly-broken or risky cryptographic algorithms as threat intelligence and computing advances evolve, enabling timely replacement.

addresses: CWE-326 CWE-327

Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.

addresses: CWE-327 CWE-326

Flaw remediation replaces broken or risky cryptographic algorithms once safer implementations are released by vendors.

addresses: CWE-327

Contacts with security groups provide timely information on broken or risky cryptographic algorithms, reducing the likelihood of their selection and use.

addresses: CWE-327

Cross-organization threat feeds commonly include advances in cryptanalysis and active exploits against weak or broken algorithms, allowing organizations to deprecate them proactively.

addresses: CWE-327

Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones.

addresses: CWE-327

Scanners flag use of broken or weak cryptographic algorithms via known-vulnerability databases.

References