CVE-2014-0328

The thraneLINK protocol implementation on Cobham devices does not verify firmware signatures, which allows attackers to execute arbitrary code by leveraging physical access or terminal access to send an SNMP request and a TFTP response.

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.kb.cert.org/vuls/id/179732	Third Party Advisory US Government Resource
http://www.kb.cert.org/vuls/id/179732	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:h:cobham:ailor_6110_mini-c_gmdss:-:::::::*
	cpe:2.3:h:cobham:sailor_6006_message_terminal:-:::::::*
	cpe:2.3:h:cobham:sailor_6222_vhf:-:::::::*
	cpe:2.3:h:cobham:sailor_6300_mf_\/_hf:-:::::::*

History

21 Nov 2024, 02:01

Type	Values Removed	Values Added
References	~~() http://www.kb.cert.org/vuls/id/179732 - Third Party Advisory, US Government Resource~~	() http://www.kb.cert.org/vuls/id/179732 - Third Party Advisory, US Government Resource

Information

Published : 2014-08-15 11:15

Updated : 2024-11-21 02:01

NVD link : CVE-2014-0328

Mitre link : CVE-2014-0328

CVE.ORG link : CVE-2014-0328

JSON object : View

Products Affected

cobham

sailor_6300_mf_\/_hf
sailor_6222_vhf
ailor_6110_mini-c_gmdss
sailor_6006_message_terminal

CWE

NVD-CWE-Other

{"id": "CVE-2014-0328", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-08-15T11:15:42.903", "references": [{"url": "http://www.kb.cert.org/vuls/id/179732", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}, {"url": "http://www.kb.cert.org/vuls/id/179732", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The thraneLINK protocol implementation on Cobham devices does not verify firmware signatures, which allows attackers to execute arbitrary code by leveraging physical access or terminal access to send an SNMP request and a TFTP response."}, {"lang": "es", "value": "La implementaci\u00f3n del protocolo thraneLINK en los dispositivos Cobham no verifica las firmas de firmware, lo que permite a atacantes ejecutar c\u00f3digo arbitrario mediante el aprovechamiento del acceso f\u00edsico o acceso al terminal para enviar una solicitud SNMP y una respuesta TFTP."}], "lastModified": "2024-11-21T02:01:53.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:cobham:ailor_6110_mini-c_gmdss:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEA4C870-472D-4CE8-BAF7-B489DA48AC4E"}, {"criteria": "cpe:2.3:h:cobham:sailor_6006_message_terminal:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D85C2D45-B835-4374-B3AB-B3DE311BBFFA"}, {"criteria": "cpe:2.3:h:cobham:sailor_6222_vhf:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6CDFC3D-35A7-4530-A253-62E5DF82F3CD"}, {"criteria": "cpe:2.3:h:cobham:sailor_6300_mf_\\/_hf:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0328B479-A9BA-49A9-B352-70D8816F4463"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/347.html\">CWE-347: Improper Verification of Cryptographic Signature</a>", "sourceIdentifier": "cret@cert.org"}