Sign-up

ID

VAR-202002-0860


CVE

CVE-2015-2909


TITLE

Dedicated Micros DVR products use plaintext protocols and require no password by default

Trust: 0.8

sources: CERT/CC: VU#276148

DESCRIPTION

Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states "The user is presented with clear warnings on the GUI that they should set usernames and passwords.". Dedicated Micros Digital video recorder products by default communicate with plain text that is not encrypted and do not authenticate users with a password. Do not encrypt sensitive data (CWE-311) Dedicated Micros The digital video recorder product of the default is a protocol that does not encrypt communication contents by default. HTTP , Telnet , FTP It is the end user's responsibility to configure to use a more secure protocol. Therefore, with the default settings, communications may be viewed or altered by a third party. CWE-311: Missing Encryption of Sensitive Data https://cwe.mitre.org/data/definitions/311.html Inappropriate access control (CWE-284) - CVE-2015-2909 Dedicated Micros Digital video recorder products by default do not require user authentication by default. End users can set a password on the device, but it is not required. With the default settings, the device may be freely accessed or altered by a third party. CWE-284: Improper Access Control https://cwe.mitre.org/data/definitions/284.htmlSensitive data can be viewed and manipulated by a remote attacker. Also, devices that are not configured securely can be completely deprived of control. A number of Dedicated Micros products have security vulnerabilities that allow remote attackers to exploit the vulnerability to gain unauthorized access to the device. This may aid in further attacks

Trust: 3.15

sources: NVD: CVE-2015-2909 // CERT/CC: VU#276148 // JVNDB: JVNDB-2015-004308 // CNVD: CNVD-2015-05663 // BID: 76438

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-05663

AFFECTED PRODUCTS

vendor:netvumodel:ds2 \scope:eqversion: -

Trust: 4.0

vendor:netvumodel:sd 8\/12\/16 no kbd \scope:eqversion: -

Trust: 2.0

vendor:netvumodel:sd 8\/16 front panel kbd \scope:eqversion: -

Trust: 2.0

vendor:netvumodel:sd 32 \scope:eqversion: -

Trust: 2.0

vendor:netvumodel:sd 4 \scope:eqversion: -

Trust: 2.0

vendor:netvumodel:sd advanced non closed iptv \scope:eqversion: -

Trust: 1.0

vendor:netvumodel:sd advanced closed iptv \scope:eqversion: -

Trust: 1.0

vendor:netvumodel:dv-ip expressscope:eqversion: -

Trust: 1.0

vendor:netvumodel:ecosense 4\/8\/16 \scope:eqversion: -

Trust: 1.0

vendor:netvumodel:sd-advanced - sdhdscope:eqversion: -

Trust: 1.0

vendor:netvumodel:sd-advanced 8\/12\/16 vgascope:eqversion: -

Trust: 1.0

vendor:netvumodel:ds2 \ netvu connectedscope:eqversion: -

Trust: 1.0

vendor:netvumodel:sd advanced nvrscope:eqversion: -

Trust: 1.0

vendor:dedicated microsmodel: - scope: - version: -

Trust: 0.8

vendor:dedicated microsmodel:digital sprite 2scope:eqversion:(ds2)

Trust: 0.8

vendor:dedicated microsmodel:dv-ip expressscope: - version: -

Trust: 0.8

vendor:dedicated microsmodel:ecosensescope: - version: -

Trust: 0.8

vendor:dedicated microsmodel:sdscope: - version: -

Trust: 0.8

vendor:dedicated microsmodel:sd advancedscope: - version: -

Trust: 0.8

vendor:dedicated micros usamodel:ecosense digital video recorderscope: - version: -

Trust: 0.6

sources: CERT/CC: VU#276148 // CNVD: CNVD-2015-05663 // JVNDB: JVNDB-2015-004308 // NVD: CVE-2015-2909

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2909
value: CRITICAL

Trust: 1.0

NVD: CVE-2015-2909
value: HIGH

Trust: 0.8

IPA: JVNDB-2015-004308
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-05663
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201508-473
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2015-2909
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2015-2909
severity: HIGH
baseScore: 10.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2015-004308
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2015-05663
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2015-2909
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CERT/CC: VU#276148 // CNVD: CNVD-2015-05663 // JVNDB: JVNDB-2015-004308 // CNNVD: CNNVD-201508-473 // NVD: CVE-2015-2909

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-004308 // NVD: CVE-2015-2909

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-473

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201508-473

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004308

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#276148

PATCH
title:Products Groupurl:http://www.dedicatedmicros.com/europe/products_group.php?product_group_id=1
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-004308

EXTERNAL IDS
db:CERT/CCid:VU#276148
Trust: 3.8
db:NVDid:CVE-2015-2909
Trust: 3.3
db:JVNid:JVNVU97413676
Trust: 0.8
db:JVNDBid:JVNDB-2015-004308
Trust: 0.8
db:CNVDid:CNVD-2015-05663
Trust: 0.6
db:CNNVDid:CNNVD-201508-473
Trust: 0.6
db:BIDid:76438
Trust: 0.3
sources:
            
            
            CERT/CC: VU#276148 // 
            
            
            
            CNVD: CNVD-2015-05663 // 
            
            
            
            BID: 76438 // 
            
            
            
            JVNDB: JVNDB-2015-004308 // 
            
            
            
            CNNVD: CNNVD-201508-473 // 
            
            
            
            NVD: CVE-2015-2909

REFERENCES
url:http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sd-advanced-dvrs/
Trust: 3.2
url:http://www.kb.cert.org/vuls/id/276148
Trust: 2.4
url:https://www.shodan.io/search?query=command+line+processor+-username
Trust: 1.6
url:http://www.dedicatedmicros.com/europe/products_group.php?product_group_id=1
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/284.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/311.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2909
Trust: 0.8
url:http://jvn.jp/vu/jvnvu97413676/index.html
Trust: 0.8
url:http://www.kb.cert.org/vuls/id/jlad-9zgmh7
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2015-2909
Trust: 0.6
sources:
            
            
            CERT/CC: VU#276148 // 
            
            
            
            CNVD: CNVD-2015-05663 // 
            
            
            
            JVNDB: JVNDB-2015-004308 // 
            
            
            
            CNNVD: CNNVD-201508-473 // 
            
            
            
            NVD: CVE-2015-2909

CREDITS
Andrew Tierney
Trust: 0.9
sources:
            
            
            BID: 76438 // 
            
            
            
            CNNVD: CNNVD-201508-473

SOURCES
db:CERT/CCid:VU#276148
db:CNVDid:CNVD-2015-05663
db:BIDid:76438
db:JVNDBid:JVNDB-2015-004308
db:CNNVDid:CNNVD-201508-473
db:NVDid:CVE-2015-2909

LAST UPDATE DATE
2024-11-23T22:05:47.937000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#276148date:2015-08-20T00:00:00
db:CNVDid:CNVD-2015-05663date:2015-08-27T00:00:00
db:BIDid:76438date:2015-08-20T00:00:00
db:JVNDBid:JVNDB-2015-004308date:2015-08-24T00:00:00
db:CNNVDid:CNNVD-201508-473date:2020-05-29T00:00:00
db:NVDid:CVE-2015-2909date:2024-11-21T02:28:18.260

SOURCES RELEASE DATE
db:CERT/CCid:VU#276148date:2015-08-20T00:00:00
db:CNVDid:CNVD-2015-05663date:2015-08-27T00:00:00
db:BIDid:76438date:2015-08-20T00:00:00
db:JVNDBid:JVNDB-2015-004308date:2015-08-24T00:00:00
db:CNNVDid:CNNVD-201508-473date:2015-08-21T00:00:00
db:NVDid:CVE-2015-2909date:2020-02-06T15:15:11.047