Sign-up

ID

VAR-201506-0054


CVE

CVE-2014-4875


TITLE

Toshiba CHEC Hardcoded Cryptographic Key Information Disclosure Vulnerability

Trust: 0.9

sources: BID: 75055 // CNNVD: CNNVD-201506-217

DESCRIPTION

CreateBossCredentials.jar in Toshiba CHEC before 6.6 build 4014 and 6.7 before build 4329 contains a hardcoded AES key, which allows attackers to discover Back Office System Server (BOSS) DB2 database credentials by leveraging knowledge of this key in conjunction with bossinfo.pro read access. Toshiba CHEC Is AES There is a problem where the common key is hard-coded. The encryption key is hard-coded (CWE-321) - CVE-2014-4875 Toshiba CHEC of CreateBossCredentials.jar Used for encryption AES There is a problem where the common key is hard-coded. bossinfo.pro An attacker with access to the file was hard-coded AES Using a common key, BOSS It is possible to decrypt encrypted information such as database authentication information. CWE-321: Use of Hard-coded Cryptographic Key http://cwe.mitre.org/data/definitions/321.htmlBy an attacker with access to the product, BOSS The authentication information of the database may be obtained. Toshiba CHEC is a product of Toshiba Corporation. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks

Trust: 3.15

sources: NVD: CVE-2014-4875 // CERT/CC: VU#301788 // JVNDB: JVNDB-2015-002960 // CNVD: CNVD-2015-03887 // BID: 75055

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-03887

AFFECTED PRODUCTS

vendor:toshibamodel:checscope:eqversion:6.7

Trust: 1.9

vendor:toshibamodel:checscope:lteversion:6.6

Trust: 1.0

vendor:toshibamodel:checscope:eqversion:6.6

Trust: 0.9

vendor:toshiba commercemodel: - scope: - version: -

Trust: 0.8

vendor:toshiba global commercemodel:checscope:eqversion:version 6.6

Trust: 0.8

vendor:toshiba global commercemodel:checscope:eqversion:6.7

Trust: 0.8

vendor:toshibamodel:checscope: - version: -

Trust: 0.6

vendor:toshibamodel:chec build levelscope:neversion:6.74329

Trust: 0.3

vendor:toshibamodel:chec build levelscope:neversion:6.64014

Trust: 0.3

sources: CERT/CC: VU#301788 // CNVD: CNVD-2015-03887 // BID: 75055 // JVNDB: JVNDB-2015-002960 // CNNVD: CNNVD-201506-217 // NVD: CVE-2014-4875

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2014-4875
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2014-4875
value: MEDIUM

Trust: 1.0

CNVD: CNVD-2015-03887
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201506-217
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-4875
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2014-4875
severity: MEDIUM
baseScore: 5.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2015-03887
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CERT/CC: VU#301788 // CNVD: CNVD-2015-03887 // JVNDB: JVNDB-2015-002960 // CNNVD: CNNVD-201506-217 // NVD: CVE-2014-4875

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.8

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2015-002960 // NVD: CVE-2014-4875

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201506-217

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201506-217

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-002960

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#301788

PATCH
title:Toshiba Global Commerce Solutions Self Checkout System 6url:http://www-03.ibm.com/products/retail/products/self/sco6/specs.html
Trust: 0.8
title:Top Pageurl:https://www.toshibacommerce.com
Trust: 0.8
title:Toshiba CHEC built-in patch for encryption key information disclosure vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/59823
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-03887 // 
            
            
            
            JVNDB: JVNDB-2015-002960

EXTERNAL IDS
db:CERT/CCid:VU#301788
Trust: 4.1
db:NVDid:CVE-2014-4875
Trust: 3.3
db:BIDid:75055
Trust: 1.5
db:JVNid:JVNVU91309683
Trust: 0.8
db:JVNDBid:JVNDB-2015-002960
Trust: 0.8
db:CNVDid:CNVD-2015-03887
Trust: 0.6
db:CNNVDid:CNNVD-201506-217
Trust: 0.6
sources:
            
            
            CERT/CC: VU#301788 // 
            
            
            
            CNVD: CNVD-2015-03887 // 
            
            
            
            BID: 75055 // 
            
            
            
            JVNDB: JVNDB-2015-002960 // 
            
            
            
            CNNVD: CNNVD-201506-217 // 
            
            
            
            NVD: CVE-2014-4875

REFERENCES
url:http://www.kb.cert.org/vuls/id/301788
Trust: 3.3
url:http://www.kb.cert.org/vuls/id/jlad-9x4spn
Trust: 2.4
url:http://www.securityfocus.com/bid/75055
Trust: 1.2
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4875
Trust: 0.8
url:http://jvn.jp/vu/jvnvu91309683/index.html
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4875
Trust: 0.8
url:http://www.toshiba.com/
Trust: 0.3
sources:
            
            
            CERT/CC: VU#301788 // 
            
            
            
            CNVD: CNVD-2015-03887 // 
            
            
            
            BID: 75055 // 
            
            
            
            JVNDB: JVNDB-2015-002960 // 
            
            
            
            CNNVD: CNNVD-201506-217 // 
            
            
            
            NVD: CVE-2014-4875

CREDITS
David Odell
Trust: 0.9
sources:
            
            
            BID: 75055 // 
            
            
            
            CNNVD: CNNVD-201506-217

SOURCES
db:CERT/CCid:VU#301788
db:CNVDid:CNVD-2015-03887
db:BIDid:75055
db:JVNDBid:JVNDB-2015-002960
db:CNNVDid:CNNVD-201506-217
db:NVDid:CVE-2014-4875

LAST UPDATE DATE
2025-04-13T23:39:06.584000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#301788date:2015-06-08T00:00:00
db:CNVDid:CNVD-2015-03887date:2015-06-19T00:00:00
db:BIDid:75055date:2015-06-08T00:00:00
db:JVNDBid:JVNDB-2015-002960date:2015-06-25T00:00:00
db:CNNVDid:CNNVD-201506-217date:2015-06-25T00:00:00
db:NVDid:CVE-2014-4875date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#301788date:2015-06-08T00:00:00
db:CNVDid:CNVD-2015-03887date:2015-06-19T00:00:00
db:BIDid:75055date:2015-06-08T00:00:00
db:JVNDBid:JVNDB-2015-002960date:2015-06-10T00:00:00
db:CNNVDid:CNNVD-201506-217date:2015-06-11T00:00:00
db:NVDid:CVE-2014-4875date:2015-06-24T10:59:00.120