Details of VAR-201606-0013

ID

VAR-201606-0013

CVE

CVE-2016-2310

TITLE

General Electric Multilink Vulnerability to change configuration settings in switch firmware

Trust: 0.8

sources: JVNDB: JVNDB-2016-003087

DESCRIPTION

General Electric (GE) Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware before 5.5.0 and ML810, ML3000, and ML3100 switches with firmware before 5.5.0k have hardcoded credentials, which allows remote attackers to modify configuration settings via the web interface. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlBy a third party Web Configuration settings may be changed through the interface. GEML800 and others are all Ethernet switches of General Electric (GE). GE MultiLink Series Switches are prone to an authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized access or obtain sensitive information; this may lead to further attacks. The following products are affected : GE ML800 Switch, firmware versions prior to Version 5.5.0 GE ML810 Switch, firmware versions prior to Version 5.5.0k GE ML1200 Switch, firmware versions prior to Version 5.5.0 GE ML1600 Switch, firmware versions prior to Version 5.5.0 GE ML2400 Switch, firmware versions prior to Version 5.5.0 GE ML3000 Switch, firmware versions prior to Version 5.5.0k GE ML3100 Switch, firmware versions prior to Version 5.5.0k

Trust: 2.61

sources: NVD: CVE-2016-2310 // JVNDB: JVNDB-2016-003087 // CNVD: CNVD-2016-03794 // BID: 91011 // VULHUB: VHN-91129 // VULMON: CVE-2016-2310

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-03794

AFFECTED PRODUCTS

vendor:	ge	model:	multilink	scope:	lte	version:	5.5.0k	Trust: 1.0
vendor:	ge	model:	multilink	scope:	lte	version:	5.5.0	Trust: 1.0
vendor:	general electric	model:	multilink ml1200	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink ml1600	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink ml2400	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink ml3000	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink ml3100	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink ml800	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink ml810	scope:	-	version:	-	Trust: 0.8
vendor:	general electric	model:	multilink series	scope:	lt	version:	5.5.0 (ml800/ml1200/ml1600/ml2400)	Trust: 0.8
vendor:	general electric	model:	multilink series	scope:	lt	version:	5.5.0k (ml810/ml3000/ml3100)	Trust: 0.8
vendor:	ge	model:	ml800 switch	scope:	lt	version:	5.5.0	Trust: 0.6
vendor:	ge	model:	ml810 switch <5.5.0k	scope:	-	version:	-	Trust: 0.6
vendor:	ge	model:	ml1200 switch	scope:	lt	version:	5.5.0	Trust: 0.6
vendor:	ge	model:	ml1600	scope:	lt	version:	5.5.0	Trust: 0.6
vendor:	ge	model:	ml2400 switch	scope:	lt	version:	5.5.0	Trust: 0.6
vendor:	ge	model:	ml3000 switch 5.5.0k	scope:	-	version:	-	Trust: 0.6
vendor:	ge	model:	ml3100 switch <5.5.0k	scope:	-	version:	-	Trust: 0.6
vendor:	ge	model:	ml3100 switch	scope:	eq	version:	-	Trust: 0.6
vendor:	ge	model:	ml800 switch	scope:	eq	version:	-	Trust: 0.6
vendor:	ge	model:	ml1200 switch	scope:	eq	version:	-	Trust: 0.6
vendor:	ge	model:	multilink	scope:	eq	version:	5.5.0	Trust: 0.6
vendor:	ge	model:	ml1600 switch	scope:	eq	version:	-	Trust: 0.6
vendor:	ge	model:	ml2400 switch	scope:	eq	version:	-	Trust: 0.6

sources: CNVD: CNVD-2016-03794 // JVNDB: JVNDB-2016-003087 // CNNVD: CNNVD-201606-054 // NVD: CVE-2016-2310

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2310
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-2310
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-03794
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201606-054
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-91129
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-2310
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-2310
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2016-03794
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-91129
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-2310
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2016-2310
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2016-03794 // VULHUB: VHN-91129 // VULMON: CVE-2016-2310 // JVNDB: JVNDB-2016-003087 // CNNVD: CNNVD-201606-054 // NVD: CVE-2016-2310

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2016-003087 // NVD: CVE-2016-2310

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-054

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201606-054

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003087

PATCH

title:	ML1200 Compact Hardened Managed Ethernet Switch	url:	https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1200&type=7	Trust: 0.8
title:	ML1600 9" Panel-mounted Managed Switch	url:	https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1600&type=7	Trust: 0.8
title:	ML2400 19" Rack-mounted Managed Switch	url:	https://www.gegridsolutions.com/app/Resources.aspx?prod=ml2400&type=7	Trust: 0.8
title:	ML3000 Series 19" Rack-mounted Managed Switch (The new firmware version for the ML3000 and ML3100)	url:	https://www.gegridsolutions.com/app/Resources.aspx?prod=ml3000&type=7	Trust: 0.8
title:	ML800 Compact Hardened Managed Ethernet Switch	url:	https://www.gegridsolutions.com/app/Resources.aspx?prod=ml800&type=7	Trust: 0.8
title:	ML810 Compact Hardened 10-port Ethernet Switch	url:	https://www.gegridsolutions.com/app/Resources.aspx?prod=ml810&type=7	Trust: 0.8
title:	GE's multiple product configuration options control vulnerability patches	url:	https://www.cnvd.org.cn/patchInfo/show/76993	Trust: 0.6
title:	GE Various product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62079	Trust: 0.6

sources: CNVD: CNVD-2016-03794 // JVNDB: JVNDB-2016-003087 // CNNVD: CNNVD-201606-054

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2310	Trust: 3.5
db:	ICS CERT	id:	ICSA-16-154-01	Trust: 3.2
db:	JVNDB	id:	JVNDB-2016-003087	Trust: 0.8
db:	CNNVD	id:	CNNVD-201606-054	Trust: 0.7
db:	CNVD	id:	CNVD-2016-03794	Trust: 0.6
db:	BID	id:	91011	Trust: 0.4
db:	VULHUB	id:	VHN-91129	Trust: 0.1
db:	VULMON	id:	CVE-2016-2310	Trust: 0.1

sources: CNVD: CNVD-2016-03794 // VULHUB: VHN-91129 // VULMON: CVE-2016-2310 // BID: 91011 // JVNDB: JVNDB-2016-003087 // CNNVD: CNNVD-201606-054 // NVD: CVE-2016-2310

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-154-01	Trust: 3.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2310	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2310	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=46503	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2016-03794 // VULHUB: VHN-91129 // VULMON: CVE-2016-2310 // JVNDB: JVNDB-2016-003087 // CNNVD: CNNVD-201606-054 // NVD: CVE-2016-2310

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 91011

SOURCES

db:	CNVD	id:	CNVD-2016-03794
db:	VULHUB	id:	VHN-91129
db:	VULMON	id:	CVE-2016-2310
db:	BID	id:	91011
db:	JVNDB	id:	JVNDB-2016-003087
db:	CNNVD	id:	CNNVD-201606-054
db:	NVD	id:	CVE-2016-2310

LAST UPDATE DATE

2025-04-12T23:29:28.303000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-03794	date:	2016-06-07T00:00:00
db:	VULHUB	id:	VHN-91129	date:	2016-06-10T00:00:00
db:	VULMON	id:	CVE-2016-2310	date:	2021-03-29T00:00:00
db:	BID	id:	91011	date:	2016-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2016-003087	date:	2016-06-13T00:00:00
db:	CNNVD	id:	CNNVD-201606-054	date:	2021-03-30T00:00:00
db:	NVD	id:	CVE-2016-2310	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-03794	date:	2016-06-06T00:00:00
db:	VULHUB	id:	VHN-91129	date:	2016-06-09T00:00:00
db:	VULMON	id:	CVE-2016-2310	date:	2016-06-09T00:00:00
db:	BID	id:	91011	date:	2016-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2016-003087	date:	2016-06-13T00:00:00
db:	CNNVD	id:	CNNVD-201606-054	date:	2016-06-03T00:00:00
db:	NVD	id:	CVE-2016-2310	date:	2016-06-09T10:59:00.290