NeuVector Insecure Password and API Key Storage Vulnerability Allowing Rainbow Table Attacks

A vulnerability exists in NeuVector versions 5.0.0 prior to 5.4.6, where user passwords and API keys are stored using a simple, unsalted hash. This insecure hashing method is susceptible to rainbow table attacks, allowing offline exploitation by precomputing hashes of known passwords. The vulnerability arises because NeuVector's hashing process lacks adequate salting and uses a weak hashing approach, leaving sensitive information exposed to potential attackers.

Impact

The vulnerability allows for rainbow table attacks, where an attacker can precompute hashes of known passwords and use them to crack the unsalted hashes stored by NeuVector, potentially leading to unauthorized access.

Remediation

Users are advised to upgrade to NeuVector version 5.4.6 or later. After upgrading, users must log in again to allow NeuVector to regenerate the password hash. For API keys, at least one request per API key must be sent to regenerate its hash value.