CVE-2012-4694 - Vulnerability Details - OpenCVE

Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moxa	Edr-g903 Edr G903 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:a:moxa:edr_g903_firmware::::::::
	cpe:2.3:a:moxa:edr_g903_firmware:1.0:::::::*
	cpe:2.3:a:moxa:edr_g903_firmware:2.0:::::::*
	cpe:2.3:a:moxa:edr_g903_firmware:2.1:::::::*

cpe:2.3:h:moxa:edr-g903:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf
http://www.moxa.com/support/download.aspx?type=support&id=492

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2013-02-15T11:00:00Z

Updated: 2024-09-16T17:03:16.356Z

Reserved: 2012-08-28T00:00:00Z

Link: CVE-2012-4694

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-02-15T12:09:27.633

Modified: 2024-11-21T01:43:22.207

Link: CVE-2012-4694

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-02-15T11:00:00Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2012-4694", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf", "refsource": "MISC", "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"name": "http://www.moxa.com/support/download.aspx?type=support&id=492", "refsource": "CONFIRM", "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:42:55.129Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2012-4694", "datePublished": "2013-02-15T11:00:00Z", "dateReserved": "2012-08-28T00:00:00Z", "dateUpdated": "2024-09-16T17:03:16.356Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "073FFA29-3EA2-4A26-8381-9667B3F28A77", "versionEndIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "801FAD11-D12C-4B2B-8469-07409254E2AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0C58E1CB-D824-4ED0-9CD1-6DA14092F5E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moxa:edr_g903_firmware:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B629626D-56E2-4D72-BED0-7729B8365DE1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:moxa:edr-g903:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDB89B47-4598-4F6D-951F-DF546C8CAA96", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Moxa EDR-G903 series routers with firmware before 2.11 do not use a sufficient source of entropy for (1) SSH and (2) SSL keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere."}, {"lang": "es", "value": "Los routers de la serie Moxa EDR-G903 con firmware anterior a v2.11 no utilizan una fuente suficiente de entrop\u00eda para (1) SSH y (2) llaves SSL, lo que hace que sea m\u00e1s f\u00e1cil para atacantes MITM (man-in-the-middle) a la hora de falsificar un dispositivo o modificar un flujo de datos cliente-servidor mediante el aprovechamiento de conocimiento de una clave de una instalaci\u00f3n del producto en otros lugares."}], "id": "CVE-2012-4694", "lastModified": "2024-11-21T01:43:22.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-02-15T12:09:27.633", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"source": "ics-cert@hq.dhs.gov", "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/pdf/ICSA-13-042-01.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.moxa.com/support/download.aspx?type=support&id=492"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}