CVE-2018-5402 - OpenCVE

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Arm	Arm7
Auto-maskin	Dcu 210e Dcu 210e Firmware Marine Pro Observer Rp 210e Rp 210e Firmware

Configuration 1 [-]

AND

cpe:2.3:o:auto-maskin:rp_210e_firmware:-:*:*:*:*:*:*:*

OR	cpe:2.3:h:arm:arm7::::::::
	cpe:2.3:h:auto-maskin:rp_210e:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:o:auto-maskin:dcu_210e_firmware:-:*:*:*:*:*:*:*

OR	cpe:2.3:h:arm:arm7::::::::
	cpe:2.3:h:auto-maskin:dcu_210e:-:::::::*

Configuration 3 [-]

cpe:2.3:a:auto-maskin:marine_pro_observer:-:*:*:*:*:android:*:*

No data.

References

Link	Providers
https://www.kb.cert.org/vuls/id/176301
https://www.us-cert.gov/ics/advisories/icsa-20-051-04

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-10-08T15:00:00Z

Updated: 2024-09-16T17:28:38.924Z

Reserved: 2018-01-12T00:00:00

Link: CVE-2018-5402

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-10-08T15:29:02.977

Modified: 2019-10-09T23:41:18.187

Link: CVE-2018-5402

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["ARMv7"], "product": "DCU-210E", "vendor": "Auto-Maskin", "versions": [{"lessThan": "3.7", "status": "affected", "version": "3.7", "versionType": "custom"}]}, {"platforms": ["ARMv7"], "product": "RP-210E", "vendor": "Auto-Maskin", "versions": [{"lessThan": "3.7", "status": "affected", "version": "3.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Reporters: Brian Satira, Brian Olson, Organization: Project Gunsway"}], "datePublic": "2018-10-01T00:00:00", "descriptions": [{"lang": "en", "value": "The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-24T14:50:13", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#176301", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/176301"}, {"tags": ["x_refsource_MISC"], "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}], "solutions": [{"lang": "en", "value": "The devices should implement TLS for authentication to administrator functions via embedded webserver."}], "source": {"discovery": "EXTERNAL"}, "title": "The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2018-10-01T04:00:00.000Z", "ID": "CVE-2018-5402", "STATE": "PUBLIC", "TITLE": "The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DCU-210E", "version": {"version_data": [{"affected": "<", "platform": "ARMv7", "version_affected": "<", "version_name": "3.7", "version_value": "3.7"}]}}, {"product_name": "RP-210E", "version": {"version_data": [{"affected": "<", "platform": "ARMv7", "version_affected": "<", "version_name": "3.7", "version_value": "3.7"}]}}]}, "vendor_name": "Auto-Maskin"}]}}, "credit": [{"lang": "eng", "value": "Reporters: Brian Satira, Brian Olson, Organization: Project Gunsway"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319: Cleartext Transmission of Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "VU#176301", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/176301"}, {"name": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04", "refsource": "MISC", "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}]}, "solution": [{"lang": "en", "value": "The devices should implement TLS for authentication to administrator functions via embedded webserver."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T05:33:44.364Z"}, "title": "CVE Program Container", "references": [{"name": "VU#176301", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/176301"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2018-5402", "datePublished": "2018-10-08T15:00:00Z", "dateReserved": "2018-01-12T00:00:00", "dateUpdated": "2024-09-16T17:28:38.924Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:auto-maskin:rp_210e_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6276379-86DE-440E-88B1-E2B4AC1A1DD6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:arm:arm7:*:*:*:*:*:*:*:*", "matchCriteriaId": "D64AEAAE-5F7C-43B9-AACA-39C927BDB5B4", "versionEndExcluding": "3.7", "vulnerable": false}, {"criteria": "cpe:2.3:h:auto-maskin:rp_210e:-:*:*:*:*:*:*:*", "matchCriteriaId": "2B7F66D3-0436-4BF6-A177-C04C59BFAEE5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:auto-maskin:dcu_210e_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "4121F18D-C67D-402B-85EB-7768BED46A82", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:arm:arm7:*:*:*:*:*:*:*:*", "matchCriteriaId": "D64AEAAE-5F7C-43B9-AACA-39C927BDB5B4", "versionEndExcluding": "3.7", "vulnerable": false}, {"criteria": "cpe:2.3:h:auto-maskin:dcu_210e:-:*:*:*:*:*:*:*", "matchCriteriaId": "378677CF-D35D-4122-B481-3B7FCF6F4D27", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auto-maskin:marine_pro_observer:-:*:*:*:*:android:*:*", "matchCriteriaId": "D9050A5F-13F4-44EC-B1C9-8DB90508AA8D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7."}, {"lang": "es", "value": "Las aplicaciones de Android Auto-Maskin DCU 210E, RP-210E y Marine Pro Observer emplean un servidor web embebido que emplea texto plano para la transmisi\u00f3n del PIN del administrador. Impacto: Una vez autenticado, un atacante puede cambiar las configuraciones, subir nuevos archivos de configuraci\u00f3n y subir c\u00f3digo ejecutable mediante la subida de archivos para actualizaciones de firmware. Se requiere acceso a la red. Las versiones afectadas son las aplicaciones de Android Auto-Maskin DCU-210E RP-210E y Marine Pro Observer. Versiones anteriores a la 3.7 en ARMv7."}], "id": "CVE-2018-5402", "lastModified": "2019-10-09T23:41:18.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "cret@cert.org", "type": "Secondary"}]}, "published": "2018-10-08T15:29:02.977", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/176301"}, {"source": "cret@cert.org", "url": "https://www.us-cert.gov/ics/advisories/icsa-20-051-04"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "cret@cert.org", "type": "Secondary"}]}