CVE-2015-7923 - OpenCVE

Westermo WeOS before 4.19.0 uses the same SSL private key across different customers' installations, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a key.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Westermo	Weos

Configuration 1 [-]

cpe:2.3:o:westermo:weos:4.18.0:*:*:*:*:*:*:*

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-16-028-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2016-01-30T11:00:00

Updated: 2016-01-30T11:57:01

Reserved: 2015-10-22T00:00:00

Link: CVE-2015-7923

JSON object: View

NVD Information

Status : Analyzed

Published: 2016-01-30T12:59:00.133

Modified: 2016-03-07T16:35:00.777

Link: CVE-2015-7923

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:westermo:weos:4.18.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5B3B5BB-5E49-4097-8DC7-FDD9A56AC821", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Westermo WeOS before 4.19.0 uses the same SSL private key across different customers' installations, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a key."}, {"lang": "es", "value": "Westermo WeOS en versiones anteriores a 4.19.0 utiliza la misma clave SSL privada para las diferentes instalaciones de clientes, lo que facilita a atacantes man-in-the-middle vencer los mecanismos de protecci\u00f3n criptogr\u00e1fica aprovechando el conocimiento de una clave."}], "id": "CVE-2015-7923", "lastModified": "2016-03-07T16:35:00.777", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-30T12:59:00.133", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-028-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}