CVE-2014-5419 — HIGH (10.0)

Q: How severe is CVE-2014-5419?

CVE-2014-5419 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-5419?

Check the references section above for vendor advisories and patch information. Affected products include: Ge Multilink Ml3100 Firmware, Ge Multilink Ml3100, Ge Multilink Ml3000 Firmware, Ge Multilink Ml3000, Ge Multilink Ml810 Firmware.

Vulnerability Description

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.

CVSS Score

10.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Ge	Multilink Ml3100 Firmware	<= 5.2.0
Ge	Multilink Ml3100	All versions
Ge	Multilink Ml3000 Firmware	<= 5.2.0
Ge	Multilink Ml3000	All versions
Ge	Multilink Ml810 Firmware	<= 5.2.0
Ge	Multilink Ml810	-
Ge	Multilink Ml1600 Firmware	<= 4.2.1
Ge	Multilink Ml1600	-
Ge	Multilink Ml800 Firmware	<= 4.2.1
Ge	Multilink Ml800	-
Ge	Multilink Ml2400 Firmware	<= 4.2.1
Ge	Multilink Ml2400	-
Ge	Multilink Ml1200 Firmware	<= 4.2.1
Ge	Multilink Ml1200	-

Related Weaknesses (CWE)

CWE-321 CWE-310

References

http://www.gedigitalenergy.com/products/support/multilink/MLSB1214.pdfVendor Advisory
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-01
https://www.cisa.gov/news-events/ics-advisories/icsa-15-013-04a
http://www.gedigitalenergy.com/products/support/multilink/MLSB1214.pdfVendor Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-15-013-04Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2014-5419?

CVE-2014-5419 is a vulnerability with a CVSS score of 10.0 (HIGH). GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key ac...

How severe is CVE-2014-5419?

CVE-2014-5419 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-5419?

Check the references section above for vendor advisories and patch information. Affected products include: Ge Multilink Ml3100 Firmware, Ge Multilink Ml3100, Ge Multilink Ml3000 Firmware, Ge Multilink Ml3000, Ge Multilink Ml810 Firmware.