Details of VAR-201604-0296

ID

VAR-201604-0296

CVE

CVE-2016-2333

TITLE

SysLINK M2M Modular Gateway contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#822980

DESCRIPTION

SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 use the same hardcoded encryption key across different customers' installations, which allows attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. The SysLINK SL-1000 M2M (Machine-to-Machine) Modular Gateway contains multiple vulnerabilities. A hard-coded password authentication-bypass vulnerability 2. A command-injection vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to execute arbitrary commands in context of the affected application and to read and modify intercepted traffic. Systech SysLINK SL-1000 M2M ((Machine-to-Machine) Modular Gateway is a router product of Systech Corporation of the United States that provides DHCP, NAT, VPN and firewall functions

Trust: 2.7

sources: NVD: CVE-2016-2333 // CERT/CC: VU#822980 // JVNDB: JVNDB-2016-002410 // BID: 87337 // VULHUB: VHN-91152

AFFECTED PRODUCTS

vendor:	systech	model:	syslink sl-1000 modular gateway	scope:	eq	version:	-	Trust: 1.6
vendor:	systech	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	systech	model:	syslink sl-1000 m2m modular gateway	scope:	-	version:	-	Trust: 0.8
vendor:	systech	model:	syslink sl-1000 m2m modular gateway	scope:	lt	version:	01a.8	Trust: 0.8

sources: CERT/CC: VU#822980 // JVNDB: JVNDB-2016-002410 // CNNVD: CNNVD-201604-550 // NVD: CVE-2016-2333

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2333
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-2333
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201604-550
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-91152
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-2333
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-91152
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-2333
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-91152 // JVNDB: JVNDB-2016-002410 // CNNVD: CNNVD-201604-550 // NVD: CVE-2016-2333

PROBLEMTYPE DATA

problemtype:	CWE-310	Trust: 1.9
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-91152 // JVNDB: JVNDB-2016-002410 // NVD: CVE-2016-2333

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-550

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201604-550

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-002410

PATCH

title:	SysLINK M2M Gateway	url:	http://www.systech.com/syslink-m2m-modular-gateway	Trust: 0.8
title:	Systech SysLINK SL-1000 M2M Modular Gateway Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61234	Trust: 0.6

sources: JVNDB: JVNDB-2016-002410 // CNNVD: CNNVD-201604-550

EXTERNAL IDS

db:	CERT/CC	id:	VU#822980	Trust: 3.3
db:	NVD	id:	CVE-2016-2333	Trust: 2.8
db:	JVN	id:	JVNVU98139587	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-002410	Trust: 0.8
db:	CNNVD	id:	CNNVD-201604-550	Trust: 0.7
db:	BID	id:	87337	Trust: 0.3
db:	VULHUB	id:	VHN-91152	Trust: 0.1

sources: CERT/CC: VU#822980 // VULHUB: VHN-91152 // BID: 87337 // JVNDB: JVNDB-2016-002410 // CNNVD: CNNVD-201604-550 // NVD: CVE-2016-2333

REFERENCES

url:	http://www.kb.cert.org/vuls/id/822980	Trust: 2.5
url:	about vulnerability notes	Trust: 0.8
url:	contact us about this vulnerability	Trust: 0.8
url:	provide a vendor statement	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2333	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu98139587/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2333	Trust: 0.8

sources: CERT/CC: VU#822980 // VULHUB: VHN-91152 // JVNDB: JVNDB-2016-002410 // CNNVD: CNNVD-201604-550 // NVD: CVE-2016-2333

CREDITS

Roman Faynberg , Jeremy Allen of Carve Systems

Trust: 0.6

sources: CNNVD: CNNVD-201604-550

SOURCES

db:	CERT/CC	id:	VU#822980
db:	VULHUB	id:	VHN-91152
db:	BID	id:	87337
db:	JVNDB	id:	JVNDB-2016-002410
db:	CNNVD	id:	CNNVD-201604-550
db:	NVD	id:	CVE-2016-2333

LAST UPDATE DATE

2025-04-12T23:22:09.608000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#822980	date:	2016-04-22T00:00:00
db:	VULHUB	id:	VHN-91152	date:	2016-05-04T00:00:00
db:	BID	id:	87337	date:	2016-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2016-002410	date:	2016-05-06T00:00:00
db:	CNNVD	id:	CNNVD-201604-550	date:	2016-04-26T00:00:00
db:	NVD	id:	CVE-2016-2333	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#822980	date:	2016-04-22T00:00:00
db:	VULHUB	id:	VHN-91152	date:	2016-04-25T00:00:00
db:	BID	id:	87337	date:	2016-04-22T00:00:00
db:	JVNDB	id:	JVNDB-2016-002410	date:	2016-05-06T00:00:00
db:	CNNVD	id:	CNNVD-201604-550	date:	2016-04-25T00:00:00
db:	NVD	id:	CVE-2016-2333	date:	2016-04-25T18:59:04.183