CVE-2014-5427

Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read password hashes via a POST request.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:johnsoncontrols:metsys:4.1:::::::*
	cpe:2.3:a:johnsoncontrols:metsys:6.5:::::::*

OR	cpe:2.3:h:johnsoncontrols:extended_application_and_data_server:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_integration_engine_5510-2:-:::::::*
	cpe:2.3:h:johnsoncontrols:nxe8500:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_automation_engine_5510-2:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_automation_engine_5510-2u:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_automation_engine_5511-2:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_automation_engine_5520-2:-:::::::*
	cpe:2.3:h:johnsoncontrols:application_and_data_server:-:::::::*
	cpe:2.3:h:johnsoncontrols:lonworks_control_server_lcs8520:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_automation_engine_5521-2:-:::::::*
	cpe:2.3:h:johnsoncontrols:network_integration_engine_5511-2:-:::::::*

Information

Published : 2015-03-29 03:59

Updated : 2015-03-30 10:06

NVD link : CVE-2014-5427

Mitre link : CVE-2014-5427

JSON object : View

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Products Affected

johnsoncontrols

network_automation_engine_5510-2u
network_automation_engine_5510-2
network_automation_engine_5521-2
network_integration_engine_5510-2
network_integration_engine_5511-2
nxe8500
metsys
network_automation_engine_5520-2
application_and_data_server
network_automation_engine_5511-2
extended_application_and_data_server
lonworks_control_server_lcs8520

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02", "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read password hashes via a POST request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-5427", "ASSIGNER": "ics-cert@hq.dhs.gov"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2015-03-29T10:59Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:johnsoncontrols:metsys:4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:johnsoncontrols:metsys:6.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:johnsoncontrols:extended_application_and_data_server:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_integration_engine_5510-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:nxe8500:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_automation_engine_5510-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_automation_engine_5510-2u:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_automation_engine_5511-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_automation_engine_5520-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:application_and_data_server:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:lonworks_control_server_lcs8520:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_automation_engine_5521-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:johnsoncontrols:network_integration_engine_5511-2:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2015-03-30T17:06Z"}

5.0 /10