CVE-2019-18659

{"id": "CVE-2019-18659", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-11-02T01:15:10.630", "references": [{"url": "https://dl.acm.org/citation.cfm?id=3326082", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://dl.acm.org/citation.cfm?id=3326082", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "The Wireless Emergency Alerts (WEA) protocol allows remote attackers to spoof a Presidential Alert because cryptographic authentication is not used, as demonstrated by MessageIdentifier 4370 in LTE System Information Block 12 (aka SIB12). NOTE: testing inside an RF-isolated shield box suggested that all LTE phones are affected by design (e.g., use of Android versus iOS does not matter); testing in an open RF environment is, of course, contraindicated."}, {"lang": "es", "value": "El protocolo Wireless Emergency Alerts (WEA) permite a atacantes remotos falsificar una Alerta Presidencial porque no es usada la autenticaci\u00f3n criptogr\u00e1fica, como es demostrado por MessageIdentifier 4370 en LTE System Information Block 12 (tambi\u00e9n se conoce como SIB12). NOTA: las pruebas dentro de una caja de protecci\u00f3n aislada para RF sugirieron que todos los tel\u00e9fonos LTE est\u00e1n afectados por dise\u00f1o (por ejemplo, el uso de Android versus iOS no importa); Las pruebas en un entorno abierto de RF est\u00e1n, por supuesto, contraindicadas."}], "lastModified": "2024-11-21T04:33:28.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ready:wireless_emergency_alerts:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17A702AE-5B80-4336-BC6A-97CBE295490E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}