Details of VAR-201607-0384

ID

VAR-201607-0384

CVE

CVE-2016-4520

TITLE

Schneider Electric Pelco Digital Sentry Vulnerability in the access rights of video management system firmware

Trust: 0.8

sources: JVNDB: JVNDB-2016-003793

DESCRIPTION

Schneider Electric Pelco Digital Sentry Video Management System with firmware before 7.14 has hardcoded credentials, which allows remote attackers to obtain access, and consequently execute arbitrary code, via unspecified vectors. Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlA third party could gain access and thus execute arbitrary code. Attackers can exploit this issue to bypass the authentication mechanism and gain access to the vulnerable device

Trust: 2.52

sources: NVD: CVE-2016-4520 // JVNDB: JVNDB-2016-003793 // CNVD: CNVD-2016-04934 // BID: 91783 // VULHUB: VHN-93339

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-04934

AFFECTED PRODUCTS

vendor:	schneider electric	model:	pelco digital sentry video management system	scope:	lte	version:	7.6.32.9203	Trust: 1.0
vendor:	schneider electric	model:	pelco digital sentry video management system	scope:	lt	version:	7.14	Trust: 0.8
vendor:	schneider	model:	electric pelco digital sentry video management system	scope:	lt	version:	7.13	Trust: 0.6
vendor:	schneider electric	model:	pelco digital sentry video management system	scope:	eq	version:	7.6.32.9203	Trust: 0.6
vendor:	schneider electric	model:	pelco digital sentry video management system	scope:	eq	version:	7.13	Trust: 0.3
vendor:	schneider electric	model:	pelco digital sentry video management system	scope:	ne	version:	7.14	Trust: 0.3

sources: CNVD: CNVD-2016-04934 // BID: 91783 // JVNDB: JVNDB-2016-003793 // CNNVD: CNNVD-201607-434 // NVD: CVE-2016-4520

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-4520
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-4520
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2016-04934
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201607-434
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-93339
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-4520
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-04934
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-93339
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-4520
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-04934 // VULHUB: VHN-93339 // JVNDB: JVNDB-2016-003793 // CNNVD: CNNVD-201607-434 // NVD: CVE-2016-4520

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2016-003793 // NVD: CVE-2016-4520

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-434

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201607-434

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-003793

PATCH

title:	Digital Sentry	url:	https://www.pelco.com/video-management-solutions/digital-sentry-flexible-video-management#tab/documents	Trust: 0.8
title:	SEVD-2016-153-01	url:	http://download.schneider-electric.com/files?p_Reference=SEVD-2016-153-01&p_EnDocType=Technical%20leaflet&p_File_Id=3576096274&p_File_Name=SEVD-2016-153-01+Pelco+Digital+Sentry.pdf	Trust: 0.8
title:	Patch for Schneider Electric Pelco Digital Sentry Video Management System has an unknown vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/79243	Trust: 0.6
title:	Schneider Electric Pelco Digital Sentry Video Management System Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62976	Trust: 0.6

sources: CNVD: CNVD-2016-04934 // JVNDB: JVNDB-2016-003793 // CNNVD: CNNVD-201607-434

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-16-196-01	Trust: 3.4
db:	NVD	id:	CVE-2016-4520	Trust: 3.4
db:	BID	id:	91783	Trust: 2.0
db:	SCHNEIDER	id:	SEVD-2016-153-01	Trust: 1.7
db:	JVNDB	id:	JVNDB-2016-003793	Trust: 0.8
db:	CNNVD	id:	CNNVD-201607-434	Trust: 0.7
db:	CNVD	id:	CNVD-2016-04934	Trust: 0.6
db:	VULHUB	id:	VHN-93339	Trust: 0.1

sources: CNVD: CNVD-2016-04934 // VULHUB: VHN-93339 // BID: 91783 // JVNDB: JVNDB-2016-003793 // CNNVD: CNNVD-201607-434 // NVD: CVE-2016-4520

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-196-01	Trust: 3.4
url:	http://www.schneider-electric.com/ww/en/download/document/sevd-2016-153-01	Trust: 1.7
url:	http://www.securityfocus.com/bid/91783	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-4520	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-4520	Trust: 0.8
url:	http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true	Trust: 0.3

sources: CNVD: CNVD-2016-04934 // VULHUB: VHN-93339 // BID: 91783 // JVNDB: JVNDB-2016-003793 // CNNVD: CNNVD-201607-434 // NVD: CVE-2016-4520

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 91783

SOURCES

db:	CNVD	id:	CNVD-2016-04934
db:	VULHUB	id:	VHN-93339
db:	BID	id:	91783
db:	JVNDB	id:	JVNDB-2016-003793
db:	CNNVD	id:	CNNVD-201607-434
db:	NVD	id:	CVE-2016-4520

LAST UPDATE DATE

2025-04-13T23:38:59.519000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-04934	date:	2016-07-19T00:00:00
db:	VULHUB	id:	VHN-93339	date:	2016-11-28T00:00:00
db:	BID	id:	91783	date:	2016-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-003793	date:	2016-07-25T00:00:00
db:	CNNVD	id:	CNNVD-201607-434	date:	2016-07-18T00:00:00
db:	NVD	id:	CVE-2016-4520	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-04934	date:	2016-07-19T00:00:00
db:	VULHUB	id:	VHN-93339	date:	2016-07-15T00:00:00
db:	BID	id:	91783	date:	2016-07-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-003793	date:	2016-07-25T00:00:00
db:	CNNVD	id:	CNNVD-201607-434	date:	2016-07-18T00:00:00
db:	NVD	id:	CVE-2016-4520	date:	2016-07-15T16:59:09.377