Datum Systems satellite modem devices contain multiple vulnerabilities

Overview

Datum Systems PSM-4500 and PSM-500 series satellite modem devices contain multiple vulnerabilities

Description

CWE-220:Sensitive Data Under FTP Root- CVE-2014-2950

The Datum Systems SnIP operating system on PSM-4500 and PSM-500 satellite modem devices has FTP enabled by default with no credentials required, which allows open access to sensitive areas of the file system.

CWE-798: Use of Hard-coded Credentials - CVE-2014-2951
The Datum Systems SnIP operating system on PSM-4500 and PSM-500 satellite modem devices has an undocumented admin user account with the password of admin.

---

Impact

A remote unauthenticated attacker may be able to gain full control of the device.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

---

Vendor Information

917348

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Datum Systems Unknown

Notified: May 16, 2014 Updated: July 09, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	8.1	E:POC/RL:U/RC:UC
Environmental	2.0	CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://www.datumsystems.com/products&gt;
• <http://cwe.mitre.org/data/definitions/798.html&gt;
• <http://cwe.mitre.org/data/definitions/220.html&gt;

Acknowledgements

Thanks to Narendra Shinde and Ashish Kamble from Qualys Inc. for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs:	CVE-2014-2950, CVE-2014-2951
Date Public:	2014-07-11 Date First Published: