Details of VAR-201306-0356

ID

VAR-201306-0356

CVE

CVE-2013-4732

TITLE

Digital Alert Systems DASDEC and Monroe Electronics R189 One-Net firmware exposes private root SSH key

Trust: 0.8

sources: CERT/CC: VU#662676

DESCRIPTION

The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding. An attacker with SSH access to a device could use the key to log in with root privileges. ** Unsettled ** This case has not been confirmed as a vulnerability. "A remote attacker could intercept your network and hijack your session

Trust: 2.88

sources: NVD: CVE-2013-4732 // CERT/CC: VU#662676 // JVNDB: JVNDB-2013-006848 // CNVD: CNVD-2013-08661

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-08661

AFFECTED PRODUCTS

vendor:	digital alert	model:	dasdec eas	scope:	eq	version:	2.0-1	Trust: 1.0
vendor:	monroe	model:	r189 one-net eas	scope:	eq	version:	2.0-0	Trust: 1.0
vendor:	monroe	model:	r189 one-net eas	scope:	eq	version:	2.0-1	Trust: 1.0
vendor:	digital alert	model:	dasdec eas	scope:	lte	version:	2.0-2	Trust: 1.0
vendor:	monroe	model:	r189 one-net eas	scope:	lte	version:	2.0-2	Trust: 1.0
vendor:	digital alert	model:	dasdec eas	scope:	eq	version:	2.0-0	Trust: 1.0
vendor:	digital alert	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	monroe	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	digital alert	model:	dasdec	scope:	lte	version:	eas 2.0-2	Trust: 0.8
vendor:	monroe	model:	r189 one-net	scope:	lte	version:	eas 2.0-2	Trust: 0.8
vendor:	monroe	model:	electronics one-net e189 emergency alert system devices	scope:	-	version:	-	Trust: 0.6
vendor:	digital	model:	alert systems dasdec	scope:	-	version:	-	Trust: 0.6

sources: CERT/CC: VU#662676 // CNVD: CNVD-2013-08661 // JVNDB: JVNDB-2013-006848 // NVD: CVE-2013-4732

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4732
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-0137
value:	HIGH
Trust: 0.8
NVD:	CVE-2013-4732
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2013-08661
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2013-4732
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
NVD:	CVE-2013-0137
severity:	HIGH
baseScore:	10.0
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2013-08661
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CERT/CC: VU#662676 // CNVD: CNVD-2013-08661 // JVNDB: JVNDB-2013-006848 // NVD: CVE-2013-4732

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.8

sources: JVNDB: JVNDB-2013-006848 // NVD: CVE-2013-4732

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006848

PATCH

title:

Top Page

url:

http://digitalalertsystems.com/

Trust: 0.8

sources: JVNDB: JVNDB-2013-006848

EXTERNAL IDS

db:	CERT/CC	id:	VU#662676	Trust: 3.2
db:	NVD	id:	CVE-2013-4732	Trust: 2.4
db:	USCERT	id:	TA13-175A	Trust: 1.6
db:	JVN	id:	JVNVU99235742	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-006848	Trust: 0.8
db:	CNVD	id:	CNVD-2013-08661	Trust: 0.6

sources: CERT/CC: VU#662676 // CNVD: CNVD-2013-08661 // JVNDB: JVNDB-2013-006848 // NVD: CVE-2013-4732

REFERENCES

url:	http://www.kb.cert.org/vuls/id/662676	Trust: 2.4
url:	http://www.monroe-electronics.com/monroe_electronics_pdf/130604-monroe-security-pr.pdf	Trust: 1.8
url:	http://www.digitalalertsystems.com/pdf/130604-monroe-security-pr.pdf	Trust: 1.8
url:	http://www.us-cert.gov/ncas/alerts/ta13-175a	Trust: 1.6
url:	http://www.monroe-electronics.com/eas_pages/r189se_registration.html	Trust: 1.6
url:	http://www.kb.cert.org/vuls/id/aamn-98muk2	Trust: 1.0
url:	http://www.kb.cert.org/vuls/id/aamn-98mu7h	Trust: 1.0
url:	http://www.monroe-electronics.com/eas_pages/prod_r189se.html	Trust: 0.8
url:	http://www.digitalalertsystems.com/products_enc-dec.html	Trust: 0.8
url:	http://www.digitalalertsystems.com/pdf/wpdas-122.pdf	Trust: 0.8
url:	http://www.fcc.gov/guides/emergency-alert-system-eas	Trust: 0.8
url:	http://www.ioactive.com/news-events/ioactive_uncovers_vulnerabilities_in_united_states_emergency_alerting_system.html	Trust: 0.8
url:	http://www.ioactive.com/pdfs/ioactive_dasdec_vulnerabilities.pdf	Trust: 0.8
url:	http://blog.ioactive.com/2013/10/strike-two-for-emergency-alerting.html	Trust: 0.8
url:	http://blog.ioactive.com/2013/07/why-vendor-openness-still-matters.html	Trust: 0.8
url:	http://www.commlawblog.com/2013/02/articles/broadcast/fcc-urges-broadcasters-to-secure-eas-equipment/	Trust: 0.8
url:	http://www.broadcastlawblog.com/2013/02/articles/emergency-communications/hackers-use-eas-to-send-alert-of-zombie-attack-fcc-issues-urgent-warning-to-broadcasters-to-secure-their-eas-systems/	Trust: 0.8
url:	http://www.radioworld.com/article/eas-hack-cap-not-the-issue-internet-security-is/217746	Trust: 0.8
url:	http://www.radioworld.com/article/stations-urged-to-protect-their-eas/217746	Trust: 0.8
url:	http://transition.fcc.gov/pshs/techtopics/techtopics21.html	Trust: 0.8
url:	http://www.thebdr.net/articles/fcc/eas/eas.html	Trust: 0.8
url:	http://www.thebdr.net/articles/fcc/eas/eas-q5.pdf	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/798.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/532.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/341.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/320.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/321.html	Trust: 0.8
url:	http://www.cert.org/downloads/vuls/662676/ssh-key-test.sh	Trust: 0.8
url:	https://raw.github.com/aspiers/ssh-config/master/bin/ssh-list-pubkeys	Trust: 0.8
url:	http://www.wired.com/threatlevel/2013/07/eas-holes/	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4732	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu99235742/	Trust: 0.8
url:	https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4732	Trust: 0.8

sources: CERT/CC: VU#662676 // CNVD: CNVD-2013-08661 // JVNDB: JVNDB-2013-006848 // NVD: CVE-2013-4732

SOURCES

db:	CERT/CC	id:	VU#662676
db:	CNVD	id:	CNVD-2013-08661
db:	JVNDB	id:	JVNDB-2013-006848
db:	NVD	id:	CVE-2013-4732

LAST UPDATE DATE

2025-04-11T22:59:07.067000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#662676	date:	2014-05-07T00:00:00
db:	CNVD	id:	CNVD-2013-08661	date:	2013-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2013-006848	date:	2019-07-29T00:00:00
db:	NVD	id:	CVE-2013-4732	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#662676	date:	2013-06-26T00:00:00
db:	CNVD	id:	CNVD-2013-08661	date:	2013-07-03T00:00:00
db:	JVNDB	id:	JVNDB-2013-006848	date:	2019-07-29T00:00:00
db:	NVD	id:	CVE-2013-4732	date:	2013-06-30T19:28:10.173