CVE-2015-6456 - OpenCVE

GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ge	Mds Pulsenet

Configuration 1 [-]

OR	cpe:2.3:a:ge:mds_pulsenet::::::::
	cpe:2.3:a:ge:mds_pulsenet:::::enterprise:::*

No data.

References

Link	Providers
http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9
http://zerodayinitiative.com/advisories/ZDI-15-440/
https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2015-09-18T22:00:00

Updated: 2024-08-06T07:22:21.560Z

Reserved: 2015-08-17T00:00:00

Link: CVE-2015-6456

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2015-09-18T22:59:05.483

Modified: 2015-09-23T18:43:47.060

Link: CVE-2015-6456

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-31T00:00:00", "descriptions": [{"lang": "en", "value": "GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-09-18T21:57:03", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://zerodayinitiative.com/advisories/ZDI-15-440/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2015-6456", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://zerodayinitiative.com/advisories/ZDI-15-440/", "refsource": "MISC", "url": "http://zerodayinitiative.com/advisories/ZDI-15-440/"}, {"name": "http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9", "refsource": "CONFIRM", "url": "http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:22:21.560Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://zerodayinitiative.com/advisories/ZDI-15-440/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2015-6456", "datePublished": "2015-09-18T22:00:00", "dateReserved": "2015-08-17T00:00:00", "dateUpdated": "2024-08-06T07:22:21.560Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:mds_pulsenet:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1538CC5-82FE-4847-A9E1-AA90E85D5057", "versionEndIncluding": "3.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:mds_pulsenet:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "3A730B4B-9A48-4F92-8730-ECF75F8F5DE1", "versionEndIncluding": "3.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password."}, {"lang": "es", "value": "Vulnerabilidad en GE Digital Energy MDS PulseNET y MDS PulseNET Enterprise en versiones anteriores a 3.1.5, tienen credenciales embebidos para la cuenta de soporte, lo que permite a atacantes remotos obtener acceso adminitrativo, y consecuentemente ejecutar c\u00f3digo arbitrario, aprovech\u00e1ndose del conocimiento de la contrase\u00f1a."}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/798.html\" target=\"_blank\">CWE-798: Use of Hard-coded Credentials</a>", "id": "CVE-2015-6456", "lastModified": "2015-09-23T18:43:47.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-09-18T22:59:05.483", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "http://www.gedigitalenergy.com/app/resources.aspx?prod=pulsenet&type=9"}, {"source": "ics-cert@hq.dhs.gov", "url": "http://zerodayinitiative.com/advisories/ZDI-15-440/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-258-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}