CVE-2014-2350 (GCVE-0-2014-2350)
Vulnerability from cvelistv5
Published
2014-05-22 20:00
Modified
2025-10-31 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:14:25.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DeltaV",
"vendor": "Emerson",
"versions": [
{
"status": "affected",
"version": "10.3.1"
},
{
"status": "affected",
"version": "11.3"
},
{
"status": "affected",
"version": "11.3.1"
},
{
"status": "affected",
"version": "12.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov of Positive Technologies"
}
],
"datePublic": "2014-05-22T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nEmerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.\n\n\u003c/p\u003e"
}
],
"value": "Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program."
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:H/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-31T22:55:07.498Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-133-02"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Emerson has created a patch to mitigate these vulnerabilities. Emerson \nhas distributed a notification (KBA NK-1400-0031) that provides details \nof the vulnerabilities, recommended mitigations, and instructions on \nobtaining and installing the patch. This document is available on \nEmerson\u2019s support site to users who have support contracts with Emerson.\n If you do not have access to this site and need to apply the patch, \nplease contact customer service at 1\u2011800\u2011833\u20118314.\n\n\u003cbr\u003e"
}
],
"value": "Emerson has created a patch to mitigate these vulnerabilities. Emerson \nhas distributed a notification (KBA NK-1400-0031) that provides details \nof the vulnerabilities, recommended mitigations, and instructions on \nobtaining and installing the patch. This document is available on \nEmerson\u2019s support site to users who have support contracts with Emerson.\n If you do not have access to this site and need to apply the patch, \nplease contact customer service at 1\u2011800\u2011833\u20118314."
}
],
"source": {
"advisory": "ICSA-14-133-02",
"discovery": "UNKNOWN"
},
"title": "Emerson DeltaV Use of Hard-coded Credentials",
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2014-2349",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 allows local users to modify or read configuration files by leveraging engineering-level privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02",
"refsource": "MISC",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2014-2350",
"datePublished": "2014-05-22T20:00:00",
"dateReserved": "2014-03-13T00:00:00",
"dateUpdated": "2025-10-31T22:55:07.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2014-2350\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2014-05-22T20:55:06.440\",\"lastModified\":\"2025-10-31T23:15:32.127\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.\"},{\"lang\":\"es\",\"value\":\"Emerson DeltaV 10.3.1, 11.3, 11.3.1 y 12.3 utiliza credenciales embebidas para servicios diagn\u00f3sticos, lo que permite a atacantes remotos evadir restricciones de acceso a trav\u00e9s de una sesi\u00f3n TCP, tal y como fue demostrado por una sesi\u00f3n que utiliza el programa telnet.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:H/Au:S/C:N/I:P/A:P\",\"baseScore\":2.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"HIGH\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":1.5,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-255\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emerson:deltav:10.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E005DD9A-07FB-4DE2-810B-372E62A091B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emerson:deltav:11.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0123046-D89E-4FBB-9176-C04E0C65E9AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emerson:deltav:11.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"943B3480-56C4-4131-BE8F-62FE035D4619\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emerson:deltav:12.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DA838B9-D68D-46FE-88A8-C0D1C3AC407C\"}]}]}],\"references\":[{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-14-133-02\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://ics-cert.us-cert.gov/advisories/ICSA-14-133-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…