CVE-2021-45036 - Exploiting Weak Authentication in Velneo vClient 28.1.3—Full Walkthrough, Code Exploit & Details

Velneo is an application development platform popular mainly in Spain and Latin America. Its main component, Velneo vClient, allows client computers to access Velneo-based business solutions hosted on servers. In December 2021, a serious vulnerability—CVE-2021-45036—was disclosed that affects Velneo vClient version 28.1.3.

In this long read, we'll break down what the issue is, how you might exploit it, and what steps you should take to mitigate it. We will show actual code snippets and refer to the original CVE advisory and other sources when possible. All information presented here is for educational purposes only.

1. Vulnerability Overview

CVE-2021-45036 boils down to this:  
If an attacker obtains a victim’s username and hashed password, they can impersonate the victim on the Velneo server using vClient 28.1.3. The authentication design is weak and lets you *spoof* a user just by knowing their hashed credentials.

*Imagine if someone could log in as you to your company’s database without ever cracking your password open.*

Affected Version:

Velneo vClient 28.1.3

Attack Prerequisites:

The attacker knows or can guess the victim's username.

2. The attacker obtains the victim's hashed password (md5/sha1/etc).

2. How the Attack Works

When vClient logs in to the Velneo server, it sends the username and the hashed password directly. The server, trusting these values, grants access if they match the stored credentials. The catch? No extra server-side re-hashing or salt is involved!

That means if you capture or steal someone’s hashed password (maybe from a backup, a database leak, or sniffing traffic), you can just plug those values right back into the login system and skip password guessing entirely.

Attacker sends a login request where the password field is already hashed.

4. Velneo server matches/raw-compares the received hash and grants access.

3. Proof of Concept (PoC) Exploit

Below is a simplified re-creation of how an attacker can exploit the flaw.  
(We do not provide a full attack kit—this is for learning and awareness!)

Let's say the Velneo vClient authentication works something like this (Python-like pseudocode)

import socket

def velneo_login(server_ip, port, username, hashed_password):
    """
    Simulated Velneo vClient login function. 
    Instead of the plaintext password, it sends the hash directly.
    """
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect((server_ip, port))
        # Example: send login request (format may differ in reality)
        login_data = f"{username}:{hashed_password}\n"
        s.send(login_data.encode())
        response = s.recv(1024)
        print("Server Response:", response.decode())

# Example usage with known username and _hashed_ password
victim_username = "alice"
victim_hashed_password = "5f4dcc3b5aa765d61d8327deb882cf99"  # e.g. "password" MD5

velneo_login("192.168.1.100", 6906, victim_username, victim_hashed_password)

*In a real network scenario, you’d need to match Velneo’s actual login packet formatting, but the core idea remains the same.*

4. Realistic Attack Scenarios

How might an attacker actually get the hashed password?

- Leaked Server Database: The hashes are often stored insecurely or can be extracted via SQL injection or file theft.
- Network Sniffing: If the login happens over cleartext (no TLS), someone with access to LAN traffic could grab the hash in transit.

Insider Threat: Malicious employees could access credential storage.

Once the attacker has a legitimate hash, it doesn’t matter whether they know the actual password. The server never asks for the plaintext to hash again; it just matches the incoming client hash value.

Exfiltrate records, sabotage business processes, or escalate privileges

This is especially dangerous in shared/hosted environments where many users connect to the same Velneo server.

CVE Entry:

NIST NVD CVE-2021-45036

Spanish CERT Advisory:

INCIBE Advisory (Spanish)

Upgrade Velneo Software to a version where the flaw is patched.

(Contact Velneo Support for details)

Never share or store credential hashes unsafely.

- Enforce encrypted connections (TLS/SSL) across your deployment.

8. Final Thoughts

CVE-2021-45036 is a classic example of why it’s not enough to just “hash passwords.” You need to hash them with random salt and never expose or transmit the hash as a credential. If you use Velneo (and especially vClient 28.1.3), review your security today.

If you want to learn more about the underlying issues, the following are good reads

- OWASP Authentication Cheat Sheet
- Explaining Why Password Hashes Must Stay Secret

Stay safe and patch your systems!

*This article is exclusive content prepared for awareness and learning—do not misuse this information. Always respect legal and ethical boundaries in cybersecurity.*

Timeline

Published on: 11/28/2022 16:15:00 UTC
Last modified on: 12/01/2022 22:51:00 UTC