CVE-2014-5419

Current Description

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.

Basic Data

PublishedJanuary 17, 2015
Last ModifiedJanuary 21, 2015
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-310
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml3100 Firmware********5.2.0
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml3100********
  • AND
    • OR - Configuration 2
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml3000 Firmware********5.2.0
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml3000********
  • AND
    • OR - Configuration 3
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml810 Firmware********5.2.0
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml810-*******
  • AND
    • OR - Configuration 4
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml1600 Firmware********4.2.1
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml1600-*******
  • AND
    • OR - Configuration 5
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml800 Firmware********4.2.1
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml800-*******
  • AND
    • OR - Configuration 6
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml2400 Firmware********4.2.1
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml2400-*******
  • AND
    • OR - Configuration 7
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSGeMultilink Ml1200 Firmware********4.2.1
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3HardwareGeMultilink Ml1200-*******

Vulnerable Software List

VendorProductVersions
Ge Multilink Ml810 Firmware *
Ge Multilink Ml810 -
Ge Multilink Ml1600 Firmware *
Ge Multilink Ml1600 -
Ge Multilink Ml1200 Firmware *
Ge Multilink Ml1200 -
Ge Multilink Ml3000 Firmware *
Ge Multilink Ml3000 *
Ge Multilink Ml2400 Firmware *
Ge Multilink Ml2400 -
Ge Multilink Ml3100 Firmware *
Ge Multilink Ml3100 *
Ge Multilink Ml800 Firmware *
Ge Multilink Ml800 -

References

NameSourceURLTags
http://www.gedigitalenergy.com/products/support/multilink/MLSB1214.pdfhttp://www.gedigitalenergy.com/products/support/multilink/MLSB1214.pdfCONFIRMVendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-15-013-04https://ics-cert.us-cert.gov/advisories/ICSA-15-013-04MISCThird Party Advisory US Government Resource