Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-3260 (GCVE-0-2014-3260)
Vulnerability from cvelistv5
Published
2015-12-31 02:00
Modified
2024-08-06 10:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:35:57.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-12-31T04:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3260",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3260",
"datePublished": "2015-12-31T02:00:00",
"dateReserved": "2014-05-07T00:00:00",
"dateUpdated": "2024-08-06T10:35:57.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2014-3260\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2015-12-31T05:59:00.080\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.\"},{\"lang\":\"es\",\"value\":\"Dispositivos Pacom 1000 CCU y RTU GMS permiten a atacantes remotos suplantar el flujo de datos del controlador a la base aprovechando un uso indebido de cifrado.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:pacom:1000_ccu_gms:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9207C68D-F277-4D7F-8EFE-A33DECF5B772\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:h:pacom:rtu_gms:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BD88282-192D-4A79-BD19-970CE577D1B4\"}]}]}],\"references\":[{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
fkie_cve-2014-3260
Vulnerability from fkie_nvd
Published
2015-12-31 05:59
Modified
2025-04-12 10:46
Severity ?
Summary
Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pacom | 1000_ccu_gms | * | |
| pacom | rtu_gms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:pacom:1000_ccu_gms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9207C68D-F277-4D7F-8EFE-A33DECF5B772",
"vulnerable": true
},
{
"criteria": "cpe:2.3:h:pacom:rtu_gms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BD88282-192D-4A79-BD19-970CE577D1B4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography."
},
{
"lang": "es",
"value": "Dispositivos Pacom 1000 CCU y RTU GMS permiten a atacantes remotos suplantar el flujo de datos del controlador a la base aprovechando un uso indebido de cifrado."
}
],
"id": "CVE-2014-3260",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2015-12-31T05:59:00.080",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
gsd-2014-3260
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-3260",
"description": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.",
"id": "GSD-2014-3260"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-3260"
],
"details": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.",
"id": "GSD-2014-3260",
"modified": "2023-12-13T01:22:53.311223Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3260",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:pacom:1000_ccu_gms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:h:pacom:rtu_gms:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3260"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM"
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9
}
},
"lastModifiedDate": "2015-12-31T20:28Z",
"publishedDate": "2015-12-31T05:59Z"
}
}
}
var-201512-0541
Vulnerability from variot
Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography. The Pacom 1000 CCU and RTU are products of Pacom, Sweden. The former is a network security panel for controlling, monitoring and maintaining remote sites, and the latter is a security panel that controls the access control alarm system. There are security vulnerabilities in the Pacom 1000 CCU and RTU encryption algorithms. The vulnerability can be exploited by an attacker to control communication between the program and the base station. Pacom RTU, EMCS and 1000 CCU are prone to multiple cryptography weaknesses. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
XPD - XPD Advisory
https://xpd.se
Crypto implementation flaws in Pacom GMS System
Advisory ID: XPD-2015-001 CVE reference: CVE-2014-3260 Affected platforms: Pacom 1000 CCU ("Base Station") and Controllers (RTU) Version: All versions are affected Date: 2013-Oktober-10 Security risk: High Vulnerability: Crypto implementation flaws in Pacom GMS System Researcher: Joachim Strombergson, Fredrik Soderblom, Peter Norin Vendor Status: Notified / Patch available Vulnerability Disclosure Policy: https://xpd.se/advisories/xpd-disclosure-policy-01.txt Permanent URL: https://xpd.se/advisories/XPD-2015-001.txt
=====================================================================
Summary:
The Pacom 1000 CCU and controllers (RTU) is used in security alarm installations all over the world. The flaws we have found can bypass the security of any unpatched installation. It is located at the site itself and performs all alarm and door control functions." - http://www.pacom.com/field-controllers.php
"Pacom security solutions are installed in over twenty countries on seven continents." - http://www.pacom.com/our-customers.php
Detailed description:
The Pacom 1000 implementation have several serious implementation flaws.
These vulnerabilities could in a worst case scenario lead to a full compromise of the protocol between the controller and the base station, rendering an alarm system useless.
Potentially a large number of sites could be affected by the described flaws.
PRNG:
The PRNG used is of a type known as a Linear Congruential Generator. This type of generator are known to provide random numbers with less than perfect uniform distribution. The PRNG is a 16-bit generator. This means that the generator can only generate 2**16 numbers in a sequence before it must be reseeded. There is no information about how the generator is seeded from start nor how it is reseeded.
A simulation in Dieharder shows that the used algorithm fails every test except for one, where it receives the result 'Weak'.
The Linear Congruential Generator can be broken by observing values generated by consecutive iterations of the PRNG. The system creates 32-bit random numbers by extracting 8-bits from four consecutive 16-bit words numbers generated by the PRNG. This means that by observing a single 32-bit word, an attacker has in fact half the state information (8 out of 16 bits) from four iterations of the generator.
MAC:
A Message Authentication Code (MAC) is generated and added to each message sent between CCU and Controller. The MAC generator generator used is not based on any well-known secure MAC functionality such as HMAC or OMAC. Furthermore the generated MAC is only 32 bit.
Master Code:
There is a functionality for substitution detection. According to Pacom the functionality is based on a proprietary Pacom encryption method. Key to the functionality is a a 24-bit randomly generated value called Master Code. The Master Code is also used to generate the 128-bit AES key used with the substitution detection algorithm. Hence the effective strength of the key is not 128 bits, nor 104 bits (128 - 24) but 24 bits. A very short key with low security.
Unfortunately it appears that the aforementioned (16 bit only), less than optimal, PRNG is used to generate the Master Code, thus reducing it's effective strength to 16 bit.
The Master Code is distributed from CCU to CPU-cards and other CCUs as well as GMS units (for logging purposes) in clear text. This means that the code potentially is sent unprotected over private networks, corporate networks, public networks etc.
Substitution detection:
According to Pacom documentation the "substitution detection involves appending a 128-bit check code to the controller heartbeat response messages. The check code is calculated from a combination of a hard-coded constant value, the controllers master code, and the message data. In essence it is another type of MAC, but one that employs the master code."
The implementation of the substitution detection uses a "check code" which is said to be 128-bits long and is appended to response messages. However due to a design flaw, the code is only 64 bit.
In total the heartbeat response message is 5 bytes (40 bits) long:
Byte 1: The message type (e.g. heartbeat response) Byte 2: A value based on random numbers sent in the heartbeat command from the CCU Byte 3: The controller summary status Byte 4: The heartbeat sequence number (zero or one) Byte 5: Always zero
Of the five bytes in the heartbeat response message, two bytes (4 and 5) are either one or zero, or always zero. Byte 3 is a simple status. So, of 40 bits, 32 bits are most likely predictable and the remaining 8 bits is probably choosen based on the weak PRNG. This means that a big part of the response message can be guessed.
The so called "128-bit check code" is then calculated over these 5 bytes using the aforementioned flawed Master Code and a 2 byte address of the controller, forming a 40 bit key, which is used with a hard coded constant to form an AES-128 key.
The resulting "128-bit check code" from the AES encryption is XOR:ed with its own cleartext. This means that there is a direct path from cleartext to ciphertext bypassing the AES encryption. This leaks information about the cleartext as well as opening up for chosen plaintext attacks.
Hard coded constants:
The security functionality uses several hard coded, secret constants for random number generation, MAC calculation, Substitution detection algorithm etc. Unfortunately, the way these constants are used, information about them are leaked through the very messages, which opens up for recovery of the constants. If the constants are recovered and thus system security is lost, the units must be reprogrammed in the field or even replaced.
===================================================================== Conclusion:
We do not recommend relying on the security features in the system and the system should be viewed as an unprotected system.
If the system is to be used, separate communication security mechanism should be added.
However, the usage of hard coded constants in the units and the associated need for field service or replacement if a breach occurs, makes us recommend that the system needs severe redesign before it is ready for production use.
We questions if the system has been designed with any knowledge of what has been known good security practices since at least 30 years, nor good engineering practice.
===================================================================== Versions affected:
All versions of Pacom 1000 (CCU & RTU) - According to Pacom, this firmware will not be fixed. Customers are advised to switch to the EMCS platform instead.
All versions of EMCS (Pacom .is) prior to 1.3
The vendor reports that the following versions are patched: EMCS (Pacom .is) version 1.3 and above
===================================================================== Credits
This vulnerability was discovered and researched by Joachim Strombergson from Assured AB, Fredrik Soderblom and Peter Norin from XPD AB.
===================================================================== References
https://en.wikipedia.org/wiki/Linear_congruential_generator https://en.wikipedia.org/wiki/Diehard_tests
===================================================================== History
2013-10-10 Initial Discovery 2013-10-22 Initial attempt to contact the vendor 2013-11-12 Reply from Niscayah, case is assigned to internal resource 2014-05-07 CVE-2014-3260 is assigned 2014-06-05 Draft of the advisory sent to the vendor 2014-09-01 Pacom notifies us that fixed firmware (EMCS only) is ready 2015-12-08 Public disclosure
===================================================================== About Assured
Assured AB is a privately held company with headquarters in Gothenburg, Sweden. Established in 2015, Assured is an independant security consultancy firm that provides expert knowledge, advisory and design of IT- security solutions.
http://assured.se
About XPD
XPD AB is a privately held company with Headquarters in Stockholm, Sweden. Established in 2002, XPD AB is an independent security consulting and research firm, with a focus on security and perimeter security solutions.
https://xpd.se
===================================================================== Disclaimer and Copyright
Copyright (c)2015 XPD AB and Assured AB. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without warranty of any kind. XPD AB and Assured AB disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall XPD AB or Assured AB, or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if XPD AB or Assured AB, or its suppliers have been advised of the possibility of such damages.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJWYCTaAAoJEH47YPoA7U9kecIQAJP3eHCA6zdz3sq1bAPg4JOc SBmq/auoraVpcucBzjVkGy8qtCF12mu0Gf2Kn6zwCtUcBmfjAo97HZYFx582ofOy K0ZGkA06tfGWJthDZ1eyeotQq9yBRLl1un1hGmrM/CvyRMp7KDd2jUptBps6Ddrk dl5a8+tMcQkedSV+dNDLwVpLWn8/hsDL8YjbZCeVomNtgceTb07hMv6zqrf3TgYZ yyq7xlLNzEyQSXyF0qF+yKsQ0HQyAnzQyoyzzYjeSbBBhvjeb/6x0S8t0QuP2Hqy cM+zNn/zzPoaubHFVUMi0tluhr/mqagrdmugmWG5cEfStmZYKJLkM/1EkFZDmlUF fuWQ/YrIgYU8twBwqzO+9iUdMM6gqRNaKIO5nN+1ivlYwxoVJ5N+gYCUbEZCGQac JDWGuYtHUpEzL/E2WrLq6iTpxutn1iAuyDM67/vsJaucLngLHJdW/iCIx4OVNdn4 caXMo4UZbJUzzu1OOCtCuYpUZHIbLuuVZkmb3ihj5UL/Z9OXyGKv4XpFed8xqydx FnB+dsnaG1HKyKIfNUVl7uiODEe2qiPUdmdY7J/0UWksYmoAPq77rmqhfEIH9jaU 0nq3frmUk70XdEjPG9oIr1Mw02ugIS8cYPM7zn57TskNnBnrlnO2PkBzSBOGJy08 NzycvpVV7wdtvgKeZHum =b7KM -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201512-0541",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "1000 ccu gms",
"scope": null,
"trust": 1.4,
"vendor": "pacom",
"version": null
},
{
"model": "rtu gms",
"scope": null,
"trust": 1.4,
"vendor": "pacom",
"version": null
},
{
"model": "rtu gms",
"scope": "eq",
"trust": 1.0,
"vendor": "pacom",
"version": "*"
},
{
"model": "1000 ccu gms",
"scope": "eq",
"trust": 1.0,
"vendor": "pacom",
"version": "*"
},
{
"model": "rtu/1000 ccu/emcs",
"scope": null,
"trust": 0.6,
"vendor": "pacom",
"version": null
},
{
"model": "systems rtu",
"scope": "eq",
"trust": 0.3,
"vendor": "pacom",
"version": "0"
},
{
"model": "systems emcs",
"scope": "eq",
"trust": 0.3,
"vendor": "pacom",
"version": "0"
},
{
"model": "systems ccu",
"scope": "eq",
"trust": 0.3,
"vendor": "pacom",
"version": "10000"
},
{
"model": "systems emcs",
"scope": "ne",
"trust": 0.3,
"vendor": "pacom",
"version": "1.3"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "1000 ccu gms",
"version": "*"
},
{
"model": null,
"scope": "eq",
"trust": 0.2,
"vendor": "rtu gms",
"version": "*"
}
],
"sources": [
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"db": "BID",
"id": "78806"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:pacom:1000_ccu_gms",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:pacom:rtu_gms",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XPD and Assured",
"sources": [
{
"db": "BID",
"id": "78806"
}
],
"trust": 0.3
},
"cve": "CVE-2014-3260",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2014-3260",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CNVD-2015-08469",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "0334bd80-2352-11e6-abef-000c29c66e3d",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.9 [IVD]"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "ADJACENT",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.6,
"id": "CVE-2014-3260",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-3260",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-3260",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2015-08469",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201512-570",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography. The Pacom 1000 CCU and RTU are products of Pacom, Sweden. The former is a network security panel for controlling, monitoring and maintaining remote sites, and the latter is a security panel that controls the access control alarm system. There are security vulnerabilities in the Pacom 1000 CCU and RTU encryption algorithms. The vulnerability can be exploited by an attacker to control communication between the program and the base station. Pacom RTU, EMCS and 1000 CCU are prone to multiple cryptography weaknesses. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n XPD - XPD Advisory\n https://xpd.se\n\n Crypto implementation flaws in Pacom GMS System\n\nAdvisory ID: XPD-2015-001\nCVE reference: CVE-2014-3260\nAffected platforms: Pacom 1000 CCU (\"Base Station\") and Controllers \n(RTU)\nVersion: All versions are affected\nDate: 2013-Oktober-10\nSecurity risk: High\nVulnerability: Crypto implementation flaws in Pacom GMS System\nResearcher: Joachim Strombergson, Fredrik Soderblom, Peter Norin\nVendor Status: Notified / Patch available\nVulnerability Disclosure Policy:\n https://xpd.se/advisories/xpd-disclosure-policy-01.txt\nPermanent URL:\n https://xpd.se/advisories/XPD-2015-001.txt\n\n=====================================================================\n\nSummary:\n\nThe Pacom 1000 CCU and controllers (RTU) is used in security alarm\n installations all over the world. The flaws we have found can bypass\n the security of any unpatched installation. It is located at the site itself and \nperforms\n all alarm and door control functions.\"\n - http://www.pacom.com/field-controllers.php\n\n\"Pacom security solutions are installed in over twenty countries on \nseven\n continents.\" - http://www.pacom.com/our-customers.php\n\nDetailed description:\n\nThe Pacom 1000 implementation have several serious implementation flaws. \n\nThese vulnerabilities could in a worst case scenario lead to a full\n compromise of the protocol between the controller and the base station,\n rendering an alarm system useless. \n\nPotentially a large number of sites could be affected by the described \nflaws. \n\nPRNG:\n\nThe PRNG used is of a type known as a Linear Congruential Generator. \n This type of generator are known to provide random numbers with less\n than perfect uniform distribution. The PRNG is a 16-bit generator. \n This means that the generator can only generate 2**16 numbers in a\n sequence before it must be reseeded. There is no information about\n how the generator is seeded from start nor how it is reseeded. \n\nA simulation in Dieharder shows that the used algorithm fails every\n test except for one, where it receives the result \u0027Weak\u0027. \n\nThe Linear Congruential Generator can be broken by observing values\n generated by consecutive iterations of the PRNG. The system creates\n 32-bit random numbers by extracting 8-bits from four consecutive\n 16-bit words numbers generated by the PRNG. This means that by\n observing a single 32-bit word, an attacker has in fact half the state\n information (8 out of 16 bits) from four iterations of the generator. \n\nMAC:\n\nA Message Authentication Code (MAC) is generated and added to each\n message sent between CCU and Controller. The MAC generator generator\n used is not based on any well-known secure MAC functionality such as\n HMAC or OMAC. Furthermore the generated MAC is only 32 bit. \n\nMaster Code:\n\nThere is a functionality for substitution detection. According to\n Pacom the functionality is based on a proprietary Pacom encryption\n method. Key to the functionality is a a 24-bit randomly generated\n value called Master Code. The Master Code is also used to generate\n the 128-bit AES key used with the substitution detection algorithm. \n Hence the effective strength of the key is not 128 bits, nor 104 bits\n (128 - 24) but 24 bits. A very short key with low security. \n\nUnfortunately it appears that the aforementioned (16 bit only),\n less than optimal, PRNG is used to generate the Master Code, thus\n reducing it\u0027s effective strength to 16 bit. \n\nThe Master Code is distributed from CCU to CPU-cards and other CCUs\n as well as GMS units (for logging purposes) in clear text. This means\n that the code potentially is sent unprotected over private networks,\n corporate networks, public networks etc. \n\nSubstitution detection:\n\nAccording to Pacom documentation the \"substitution detection involves\n appending a 128-bit check code to the controller heartbeat response\n messages. The check code is calculated from a combination of a\n hard-coded constant value, the controllers master code, and the\n message data. In essence it is another type of MAC, but one that\n employs the master code.\"\n\nThe implementation of the substitution detection uses a \"check code\"\n which is said to be 128-bits long and is appended to response messages. \n However due to a design flaw, the code is only 64 bit. \n\nIn total the heartbeat response message is 5 bytes (40 bits) long:\n\n Byte 1: The message type (e.g. heartbeat response)\n Byte 2: A value based on random numbers sent in the heartbeat command \nfrom the CCU\n Byte 3: The controller summary status\n Byte 4: The heartbeat sequence number (zero or one)\n Byte 5: Always zero\n\nOf the five bytes in the heartbeat response message, two bytes (4 and 5)\n are either one or zero, or always zero. Byte 3 is a simple status. So,\n of 40 bits, 32 bits are most likely predictable and the remaining 8 \nbits\n is probably choosen based on the weak PRNG. This means that a big part\n of the response message can be guessed. \n\nThe so called \"128-bit check code\" is then calculated over these 5 bytes\n using the aforementioned flawed Master Code and a 2 byte address of the\n controller, forming a 40 bit key, which is used with a hard coded \nconstant\n to form an AES-128 key. \n\nThe resulting \"128-bit check code\" from the AES encryption is XOR:ed \nwith\n its own cleartext. This means that there is a direct path from \ncleartext to\n ciphertext bypassing the AES encryption. This leaks information about\n the cleartext as well as opening up for chosen plaintext attacks. \n\nHard coded constants:\n\nThe security functionality uses several hard coded, secret constants for\n random number generation, MAC calculation, Substitution detection\n algorithm etc. Unfortunately, the way these constants are used,\n information about them are leaked through the very messages, which\n opens up for recovery of the constants. If the constants are recovered\n and thus system security is lost, the units must be reprogrammed in\n the field or even replaced. \n\n=====================================================================\nConclusion:\n\nWe do not recommend relying on the security features in the system and\n the system should be viewed as an unprotected system. \n\nIf the system is to be used, separate communication security mechanism\n should be added. \n\nHowever, the usage of hard coded constants in the units and the \nassociated\n need for field service or replacement if a breach occurs, makes us\n recommend that the system needs severe redesign before it is ready for\n production use. \n\nWe questions if the system has been designed with any knowledge of what\n has been known good security practices since at least 30 years, nor \ngood\n engineering practice. \n\n=====================================================================\nVersions affected:\n\nAll versions of Pacom 1000 (CCU \u0026 RTU) - According to Pacom, this \nfirmware\n will not be fixed. Customers are advised to switch to the EMCS\n platform instead. \n\nAll versions of EMCS (Pacom .is) prior to 1.3\n\nThe vendor reports that the following versions are patched:\n EMCS (Pacom .is) version 1.3 and above\n\n=====================================================================\nCredits\n\nThis vulnerability was discovered and researched by Joachim Strombergson\n from Assured AB, Fredrik Soderblom and Peter Norin from XPD AB. \n\n=====================================================================\nReferences\n\nhttps://en.wikipedia.org/wiki/Linear_congruential_generator\nhttps://en.wikipedia.org/wiki/Diehard_tests\n\n=====================================================================\nHistory\n\n2013-10-10 Initial Discovery\n2013-10-22 Initial attempt to contact the vendor\n2013-11-12 Reply from Niscayah, case is assigned to internal resource\n2014-05-07 CVE-2014-3260 is assigned\n2014-06-05 Draft of the advisory sent to the vendor\n2014-09-01 Pacom notifies us that fixed firmware (EMCS only) is ready\n2015-12-08 Public disclosure\n\n=====================================================================\nAbout Assured\n\nAssured AB is a privately held company with headquarters in Gothenburg,\n Sweden. Established in 2015, Assured is an independant security\n consultancy firm that provides expert knowledge, advisory and\n design of IT- security solutions. \n\nhttp://assured.se\n\nAbout XPD\n\nXPD AB is a privately held company with Headquarters in Stockholm, \nSweden. \n Established in 2002, XPD AB is an independent security consulting and\n research firm, with a focus on security and perimeter security \nsolutions. \n\nhttps://xpd.se\n\n=====================================================================\nDisclaimer and Copyright\n\nCopyright (c)2015 XPD AB and Assured AB. All rights reserved. \nThis advisory may be distributed as long as its distribution is\n free-of-charge and proper credit is given. \n\nThe information provided in this advisory is provided \"as is\" without\n warranty of any kind. XPD AB and Assured AB disclaims all warranties,\n either express or implied, including the warranties of merchantability \nand\n fitness for a particular purpose. In no event shall XPD AB or Assured \nAB,\n or its suppliers be liable for any damages whatsoever including direct,\n indirect, incidental, consequential, loss of business profits or\n special damages, even if XPD AB or Assured AB, or its suppliers have \nbeen\n advised of the possibility of such damages. \n\n-----BEGIN PGP SIGNATURE-----\n\niQIcBAEBCgAGBQJWYCTaAAoJEH47YPoA7U9kecIQAJP3eHCA6zdz3sq1bAPg4JOc\nSBmq/auoraVpcucBzjVkGy8qtCF12mu0Gf2Kn6zwCtUcBmfjAo97HZYFx582ofOy\nK0ZGkA06tfGWJthDZ1eyeotQq9yBRLl1un1hGmrM/CvyRMp7KDd2jUptBps6Ddrk\ndl5a8+tMcQkedSV+dNDLwVpLWn8/hsDL8YjbZCeVomNtgceTb07hMv6zqrf3TgYZ\nyyq7xlLNzEyQSXyF0qF+yKsQ0HQyAnzQyoyzzYjeSbBBhvjeb/6x0S8t0QuP2Hqy\ncM+zNn/zzPoaubHFVUMi0tluhr/mqagrdmugmWG5cEfStmZYKJLkM/1EkFZDmlUF\nfuWQ/YrIgYU8twBwqzO+9iUdMM6gqRNaKIO5nN+1ivlYwxoVJ5N+gYCUbEZCGQac\nJDWGuYtHUpEzL/E2WrLq6iTpxutn1iAuyDM67/vsJaucLngLHJdW/iCIx4OVNdn4\ncaXMo4UZbJUzzu1OOCtCuYpUZHIbLuuVZkmb3ihj5UL/Z9OXyGKv4XpFed8xqydx\nFnB+dsnaG1HKyKIfNUVl7uiODEe2qiPUdmdY7J/0UWksYmoAPq77rmqhfEIH9jaU\n0nq3frmUk70XdEjPG9oIr1Mw02ugIS8cYPM7zn57TskNnBnrlnO2PkBzSBOGJy08\nNzycvpVV7wdtvgKeZHum\n=b7KM\n-----END PGP SIGNATURE-----\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-3260"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"db": "BID",
"id": "78806"
},
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "PACKETSTORM",
"id": "134769"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-3260",
"trust": 3.6
},
{
"db": "ICS CERT",
"id": "ICSA-15-337-03",
"trust": 3.3
},
{
"db": "BID",
"id": "78806",
"trust": 0.9
},
{
"db": "CNVD",
"id": "CNVD-2015-08469",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201512-570",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150",
"trust": 0.8
},
{
"db": "IVD",
"id": "0334BD80-2352-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "134769",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"db": "BID",
"id": "78806"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "PACKETSTORM",
"id": "134769"
},
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"id": "VAR-201512-0541",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
}
],
"trust": 1.8
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.8
}
],
"sources": [
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
}
]
},
"last_update_date": "2024-11-23T22:22:48.305000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.pacom.com/index.php"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-310",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-15-337-03"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3260"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3260"
},
{
"trust": 0.3,
"url": "http://www.pacom.com/pacom-is.php"
},
{
"trust": 0.1,
"url": "https://xpd.se/advisories/xpd-disclosure-policy-01.txt"
},
{
"trust": 0.1,
"url": "http://www.pacom.com/field-controllers.php"
},
{
"trust": 0.1,
"url": "http://assured.se"
},
{
"trust": 0.1,
"url": "https://en.wikipedia.org/wiki/diehard_tests"
},
{
"trust": 0.1,
"url": "https://xpd.se"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3260"
},
{
"trust": 0.1,
"url": "https://en.wikipedia.org/wiki/linear_congruential_generator"
},
{
"trust": 0.1,
"url": "https://xpd.se/advisories/xpd-2015-001.txt"
},
{
"trust": 0.1,
"url": "http://www.pacom.com/our-customers.php"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"db": "BID",
"id": "78806"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "PACKETSTORM",
"id": "134769"
},
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"db": "BID",
"id": "78806"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"db": "PACKETSTORM",
"id": "134769"
},
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-12-25T00:00:00",
"db": "IVD",
"id": "0334bd80-2352-11e6-abef-000c29c66e3d"
},
{
"date": "2015-12-25T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"date": "2015-12-08T00:00:00",
"db": "BID",
"id": "78806"
},
{
"date": "2016-01-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"date": "2015-12-11T01:09:57",
"db": "PACKETSTORM",
"id": "134769"
},
{
"date": "2015-12-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"date": "2015-12-31T05:59:00.080000",
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-12-25T00:00:00",
"db": "CNVD",
"id": "CNVD-2015-08469"
},
{
"date": "2015-12-08T00:00:00",
"db": "BID",
"id": "78806"
},
{
"date": "2016-01-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-008150"
},
{
"date": "2016-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201512-570"
},
{
"date": "2024-11-21T02:07:44.720000",
"db": "NVD",
"id": "CVE-2014-3260"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pacom 1000 CCU and RTU GMS Vulnerability to forge data stream between controller and base in device",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008150"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "encryption problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201512-570"
}
],
"trust": 0.6
}
}
ghsa-9gqh-qrg2-6mwj
Vulnerability from github
Published
2022-05-17 04:00
Modified
2022-05-17 04:00
Severity ?
VLAI Severity ?
Details
Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.
{
"affected": [],
"aliases": [
"CVE-2014-3260"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-12-31T05:59:00Z",
"severity": "HIGH"
},
"details": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.",
"id": "GHSA-9gqh-qrg2-6mwj",
"modified": "2022-05-17T04:00:17Z",
"published": "2022-05-17T04:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3260"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
cnvd-2015-08469
Vulnerability from cnvd
Title
Pacom RTU/1000 CCU/EMCS加密弱口令漏洞
Description
Pacom 1000 CCU和RTU都是瑞典Pacom公司的产品。前者是一套用于控制、监控和维护远程站点的网络安全面板,后者是一套控制门禁报警系统的安全面板。
Pacom 1000 CCU和RTU的加密算法中存在安全漏洞。攻击者可利用该漏洞控制程序和基站之间的通信。
Severity
中
VLAI Severity ?
Formal description
目前没有详细的解决方案提供: http://www.pacom.com/
Reference
https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03
Impacted products
| Name | Pacom RTU/1000 CCU/EMCS |
|---|
{
"bids": {
"bid": {
"bidNumber": "78806"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2014-3260"
}
},
"description": "Pacom 1000 CCU\u548cRTU\u90fd\u662f\u745e\u5178Pacom\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u5957\u7528\u4e8e\u63a7\u5236\u3001\u76d1\u63a7\u548c\u7ef4\u62a4\u8fdc\u7a0b\u7ad9\u70b9\u7684\u7f51\u7edc\u5b89\u5168\u9762\u677f\uff0c\u540e\u8005\u662f\u4e00\u5957\u63a7\u5236\u95e8\u7981\u62a5\u8b66\u7cfb\u7edf\u7684\u5b89\u5168\u9762\u677f\u3002\r\n\r\nPacom 1000 CCU\u548cRTU\u7684\u52a0\u5bc6\u7b97\u6cd5\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236\u7a0b\u5e8f\u548c\u57fa\u7ad9\u4e4b\u95f4\u7684\u901a\u4fe1\u3002",
"discovererName": "XPD and Assured",
"formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.pacom.com/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2015-08469",
"openTime": "2015-12-25",
"products": {
"product": "Pacom RTU/1000 CCU/EMCS"
},
"referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-15-337-03",
"serverity": "\u4e2d",
"submitTime": "2015-12-24",
"title": "Pacom RTU/1000 CCU/EMCS\u52a0\u5bc6\u5f31\u53e3\u4ee4\u6f0f\u6d1e"
}
icsa-15-337-03
Vulnerability from csaf_cisa
Published
2015-09-05 06:00
Modified
2025-06-09 16:28
Summary
Pacom 1000 CCU GMS System Cryptographic Implementation Vulnerabilities
Notes
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation.
Recommended Practices
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Recommended Practices
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
Recommended Practices
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices
CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolating them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-15-337-03 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2015/icsa-15-337-03.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-15-337-03 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-337-03"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
}
],
"title": "Pacom 1000 CCU GMS System Cryptographic Implementation Vulnerabilities",
"tracking": {
"current_release_date": "2025-06-09T16:28:39.850718Z",
"generator": {
"date": "2025-06-09T16:28:39.850659Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-15-337-03",
"initial_release_date": "2015-09-05T06:00:00.000000Z",
"revision_history": [
{
"date": "2015-09-05T06:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "Initial Publication"
},
{
"date": "2025-06-09T16:28:39.850718Z",
"legacy_version": "CSAF Conversion",
"number": "2",
"summary": "Advisory converted into a CSAF"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Pacom Pacom 1000 CCU and RTU: vers:all/*",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "Pacom 1000 CCU and RTU"
}
],
"category": "vendor",
"name": "Pacom"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-3260",
"cwe": {
"id": "CWE-325",
"name": "Missing Cryptographic Step"
},
"notes": [
{
"category": "summary",
"text": "Pacom 1000 CCU and RTU GMS devices allow remote attackers to spoof the controller-to-base data stream by leveraging improper use of cryptography.",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Pacom has not produced a patch to mitigate this vulnerability in Pacom 1000 CCU and RTU but has released new firmware (v1.3) for the EMCS system.",
"product_ids": [
"CSAFPID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001"
]
}
]
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…