CVE-2015-7285 - Vulnerability Details - OpenCVE

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Csl Dualcom	Gprs Gprs Cs2300-r Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:csl_dualcom:gprs_cs2300-r_firmware:1.25:::::::*
	cpe:2.3:o:csl_dualcom:gprs_cs2300-r_firmware:3.53:::::::*

cpe:2.3:h:csl_dualcom:gprs:cs2300-r:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://cybergibbons.com/?p=2844
http://www.kb.cert.org/vuls/id/428280
http://www.kb.cert.org/vuls/id/BLUU-A3NQAL

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2015-11-25T02:00:00

Updated: 2024-08-06T07:43:46.169Z

Reserved: 2015-09-18T00:00:00

Link: CVE-2015-7285

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-11-25T04:59:01.840

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-7285

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-11-23T00:00:00", "descriptions": [{"lang": "en", "value": "CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-11-25T04:57:04", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#428280", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/428280"}, {"tags": ["x_refsource_MISC"], "url": "http://cybergibbons.com/?p=2844"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.kb.cert.org/vuls/id/BLUU-A3NQAL"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2015-7285", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#428280", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/428280"}, {"name": "http://cybergibbons.com/?p=2844", "refsource": "MISC", "url": "http://cybergibbons.com/?p=2844"}, {"name": "http://www.kb.cert.org/vuls/id/BLUU-A3NQAL", "refsource": "CONFIRM", "url": "http://www.kb.cert.org/vuls/id/BLUU-A3NQAL"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:43:46.169Z"}, "title": "CVE Program Container", "references": [{"name": "VU#428280", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/428280"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://cybergibbons.com/?p=2844"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/BLUU-A3NQAL"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2015-7285", "datePublished": "2015-11-25T02:00:00", "dateReserved": "2015-09-18T00:00:00", "dateUpdated": "2024-08-06T07:43:46.169Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:csl_dualcom:gprs_cs2300-r_firmware:1.25:*:*:*:*:*:*:*", "matchCriteriaId": "2397CE4A-E81A-4AC3-B270-55B9C3B048EA", "vulnerable": true}, {"criteria": "cpe:2.3:o:csl_dualcom:gprs_cs2300-r_firmware:3.53:*:*:*:*:*:*:*", "matchCriteriaId": "81B16396-C7FC-41B5-B7F4-FEA34DC2D0A9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:csl_dualcom:gprs:cs2300-r:*:*:*:*:*:*:*", "matchCriteriaId": "31C0CB19-FCF0-42D7-B206-B0DB2D92E3A2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response."}, {"lang": "es", "value": "Dispositivos CSL DualCom GPRS CS2300-R con firmware 1.25 hasta la versi\u00f3n 3.53 no requiere autenticaci\u00f3n desde los servidores de Alarm Receiving Center (ARC), lo que permite a atacantes man-in-the-middle eludir las restricciones de acceso previstas a trav\u00e9s de una respuesta HSxx falsificada."}], "id": "CVE-2015-7285", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-11-25T04:59:01.840", "references": [{"source": "cret@cert.org", "tags": ["Exploit"], "url": "http://cybergibbons.com/?p=2844"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/428280"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/BLUU-A3NQAL"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://cybergibbons.com/?p=2844"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/428280"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/BLUU-A3NQAL"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}