Details of VAR-201604-0294

ID

VAR-201604-0294

CVE

CVE-2016-2331

TITLE

SysLINK M2M Modular Gateway contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#822980

DESCRIPTION

The web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors. In addition, JVNVU#98139587 Then CWE-259 It is published as CWE-259: Use of Hard-coded Password http://cwe.mitre.org/data/definitions/259.htmlAccess may be obtained by a third party. SystechSysLINKSL-1000M2M (Machine-to-Machine) ModularGateway is a router product from Systech, USA that provides DHCP, NAT, VPN and firewall functions. Permissions exist in the web interface of SystechSysLINKSL-1000M2MModularGateway using firmware prior to 01A.8. Obtain a vulnerability in which the program uses hard-coded passwords and does not alert administrators to changes. A hard-coded password authentication-bypass vulnerability 2. A command-injection vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to execute arbitrary commands in context of the affected application and to read and modify intercepted traffic

Trust: 3.24

sources: NVD: CVE-2016-2331 // CERT/CC: VU#822980 // JVNDB: JVNDB-2016-002408 // CNVD: CNVD-2016-02643 // BID: 87337 // VULHUB: VHN-91150

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-02643

AFFECTED PRODUCTS

vendor:	systech	model:	syslink sl-1000 modular gateway	scope:	eq	version:	-	Trust: 1.6
vendor:	systech	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	systech	model:	syslink sl-1000 m2m modular gateway	scope:	-	version:	-	Trust: 0.8
vendor:	systech	model:	syslink sl-1000 m2m modular gateway	scope:	lt	version:	01a.8	Trust: 0.8
vendor:	systech	model:	syslink sl-1000 m2m modular gateway <01a.8	scope:	-	version:	-	Trust: 0.6

sources: CERT/CC: VU#822980 // CNVD: CNVD-2016-02643 // JVNDB: JVNDB-2016-002408 // CNNVD: CNNVD-201604-548 // NVD: CVE-2016-2331

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2331
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-2331
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-02643
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201604-548
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-91150
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-2331
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-02643
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-91150
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-2331
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-02643 // VULHUB: VHN-91150 // JVNDB: JVNDB-2016-002408 // CNNVD: CNNVD-201604-548 // NVD: CVE-2016-2331

PROBLEMTYPE DATA

problemtype:	CWE-255	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-91150 // JVNDB: JVNDB-2016-002408 // NVD: CVE-2016-2331

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-548

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201604-548

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-002408

PATCH

title:	SysLINK M2M Gateway	url:	http://www.systech.com/syslink-m2m-modular-gateway	Trust: 0.8
title:	SystechSysLINKM2MModularGateway permission to obtain patch for vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/74841	Trust: 0.6
title:	Systech SysLINK SL-1000 M2M Modular Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61232	Trust: 0.6

sources: CNVD: CNVD-2016-02643 // JVNDB: JVNDB-2016-002408 // CNNVD: CNNVD-201604-548

EXTERNAL IDS

db:	CERT/CC	id:	VU#822980	Trust: 3.9
db:	NVD	id:	CVE-2016-2331	Trust: 3.4
db:	JVN	id:	JVNVU98139587	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-002408	Trust: 0.8
db:	CNNVD	id:	CNNVD-201604-548	Trust: 0.7
db:	CNVD	id:	CNVD-2016-02643	Trust: 0.6
db:	BID	id:	87337	Trust: 0.3
db:	VULHUB	id:	VHN-91150	Trust: 0.1

sources: CERT/CC: VU#822980 // CNVD: CNVD-2016-02643 // VULHUB: VHN-91150 // BID: 87337 // JVNDB: JVNDB-2016-002408 // CNNVD: CNNVD-201604-548 // NVD: CVE-2016-2331

REFERENCES

url:	http://www.kb.cert.org/vuls/id/822980	Trust: 3.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2331	Trust: 1.4
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2331	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu98139587/index.html	Trust: 0.8

sources: CERT/CC: VU#822980 // CNVD: CNVD-2016-02643 // VULHUB: VHN-91150 // JVNDB: JVNDB-2016-002408 // CNNVD: CNNVD-201604-548 // NVD: CVE-2016-2331

CREDITS

Roman Faynberg , Jeremy Allen of Carve Systems

Trust: 0.6

sources: CNNVD: CNNVD-201604-548

SOURCES

db:	CERT/CC	id:	VU#822980
db:	CNVD	id:	CNVD-2016-02643
db:	VULHUB	id:	VHN-91150
db:	BID	id:	87337
db:	JVNDB	id:	JVNDB-2016-002408
db:	CNNVD	id:	CNNVD-201604-548
db:	NVD	id:	CVE-2016-2331

LAST UPDATE DATE

2025-04-12T23:22:09.571000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#822980	date:	2016-04-22T00:00:00
db:	CNVD	id:	CNVD-2016-02643	date:	2016-04-28T00:00:00
db:	VULHUB	id:	VHN-91150	date:	2016-05-31T00:00:00
db:	BID	id:	87337	date:	2016-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2016-002408	date:	2016-05-06T00:00:00
db:	CNNVD	id:	CNNVD-201604-548	date:	2016-04-26T00:00:00
db:	NVD	id:	CVE-2016-2331	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#822980	date:	2016-04-22T00:00:00
db:	CNVD	id:	CNVD-2016-02643	date:	2016-04-28T00:00:00
db:	VULHUB	id:	VHN-91150	date:	2016-04-25T00:00:00
db:	BID	id:	87337	date:	2016-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2016-002408	date:	2016-05-06T00:00:00
db:	CNNVD	id:	CNNVD-201604-548	date:	2016-04-25T00:00:00
db:	NVD	id:	CVE-2016-2331	date:	2016-04-25T18:59:02.310