cnvd - cnvd-2015-00451

cnvd-2015-00451

Vulnerability from cnvd

Title

多个General Electric(GE)产品存在内置密钥安全绕过漏洞

Description

General Electric Company是世界上最大的电气设备，电器和电子设备制造公司。多个General Electric(GE)产品存在安全漏洞，允许攻击者利用此漏洞获取敏感信息，执行未经授权的操作，或发起拒绝服务攻击。

Severity

高

Patch Name

多个General Electric(GE)产品存在内置密钥安全绕过漏洞的补丁

Patch Description

General Electric Company是世界上最大的电气设备，电器和电子设备制造公司。多个General Electric(GE)产品存在安全漏洞，允许攻击者利用此漏洞获取敏感信息，执行未经授权的操作，或发起拒绝服务攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.gedigitalenergy.com

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-15-013-04 http://www.securityfocus.com/bid/72069

Impacted products

Name
['General Electric GE Multilink ML800', 'General Electric GE Multilink ML1200', 'General Electric GE Multilink ML1600', 'General Electric GE Multilink ML2400 switches with firmware 4.2.1', 'General Electric GE Multilink \r\nML810', 'General Electric GE Multilink ML3000', 'General Electric GE Multilink ML3100 switches with firmware 5.2.0']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "72069"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2014-5419"
    }
  },
  "description": "General Electric Company\u662f\u4e16\u754c\u4e0a\u6700\u5927\u7684\u7535\u6c14\u8bbe\u5907\uff0c\u7535\u5668\u548c\u7535\u5b50\u8bbe\u5907\u5236\u9020\u516c\u53f8\u3002\r\n\r\n\u591a\u4e2aGeneral Electric(GE)\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6b64\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\uff0c\u6216\u53d1\u8d77\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002",
  "discovererName": "Eireann Leverett of IOActive",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www.gedigitalenergy.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00451",
  "openTime": "2015-01-21",
  "patchDescription": "General Electric Company\u662f\u4e16\u754c\u4e0a\u6700\u5927\u7684\u7535\u6c14\u8bbe\u5907\uff0c\u7535\u5668\u548c\u7535\u5b50\u8bbe\u5907\u5236\u9020\u516c\u53f8\u3002\r\n\r\n\u591a\u4e2aGeneral Electric(GE)\u4ea7\u54c1\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528\u6b64\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\uff0c\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\uff0c\u6216\u53d1\u8d77\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u4e2aGeneral Electric(GE)\u4ea7\u54c1\u5b58\u5728\u5185\u7f6e\u5bc6\u94a5\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "General Electric GE Multilink ML800",
      "General Electric GE Multilink ML1200",
      "General Electric GE Multilink ML1600",
      "General Electric GE Multilink ML2400 switches with firmware 4.2.1",
      "General Electric GE Multilink \r\nML810",
      "General Electric GE Multilink ML3000",
      "General Electric GE Multilink ML3100 switches with firmware 5.2.0"
    ]
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-15-013-04\r\nhttp://www.securityfocus.com/bid/72069",
  "serverity": "\u9ad8",
  "submitTime": "2015-01-16",
  "title": "\u591a\u4e2aGeneral Electric(GE)\u4ea7\u54c1\u5b58\u5728\u5185\u7f6e\u5bc6\u94a5\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2014-5419 (GCVE-0-2014-5419)

Vulnerability from cvelistv5

Published

2015-01-17 02:00

Modified

2025-11-04 23:32

Severity ?

CWE

CWE-321

Summary

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/icsa-15-013-04a
	http://www.gedigitalenergy.com/products/support/multilink/MLSB1214.pdf	x_refsource_CONFIRM
	https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-013-04a.json

Impacted products

Vendor

Product

Version

Multilink ML800/1200/1600/2400

Version: 0 <

ML810/3000/3100 series switch