CVE-2014-9198

The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/72258
http://www.securityfocus.com/bid/77765
https://ics-cert.us-cert.gov/advisories/ICSA-15-020-02	Patch US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:schneider-electric:etg3000_factorycast_hmi_gateway_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:schneider-electric:tsxetg3000:-:::::::*
	cpe:2.3:h:schneider-electric:tsxetg3010:-:::::::*
	cpe:2.3:h:schneider-electric:tsxetg3021:-:::::::*
	cpe:2.3:h:schneider-electric:tsxetg3022:-:::::::*

History

No history.

Information

Published : 2015-01-27 19:59

Updated : 2019-04-15 12:30

NVD link : CVE-2014-9198

Mitre link : CVE-2014-9198

CVE.ORG link : CVE-2014-9198

JSON object : View

Products Affected

schneider-electric

tsxetg3000
tsxetg3010
tsxetg3021
tsxetg3022
etg3000_factorycast_hmi_gateway_firmware

CWE

CWE-255

Credentials Management Errors

{"id": "CVE-2014-9198", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-01-27T19:59:10.810", "references": [{"url": "http://www.securityfocus.com/bid/72258", "source": "ics-cert@hq.dhs.gov"}, {"url": "http://www.securityfocus.com/bid/77765", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-020-02", "tags": ["Patch", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session."}, {"lang": "es", "value": "El servidor FTP en Schneider Electric ETG3000 FactoryCast HMI Gateway con firmware hasta 1.60 IR 04 tienen credenciales embebidas, lo que facilita a atacantes remotos obtener el acceso a trav\u00e9s de una sesi\u00f3n FTP."}], "lastModified": "2019-04-15T12:30:07.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:etg3000_factorycast_hmi_gateway_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18F4A2AF-AC0E-4CE8-A783-806E8D8C2A2D", "versionEndIncluding": "1.60.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:tsxetg3000:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46D2618A-486E-4055-BAFD-81F82C6B3D2A"}, {"criteria": "cpe:2.3:h:schneider-electric:tsxetg3010:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55B765EF-1FA4-4994-AE8C-E11BF4F9B95E"}, {"criteria": "cpe:2.3:h:schneider-electric:tsxetg3021:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB5F2A27-898A-4F8F-BAD5-FA64370A6B98"}, {"criteria": "cpe:2.3:h:schneider-electric:tsxetg3022:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D483984-53F3-4972-9F6D-9446C06891D5"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}