CVE-2015-2909 — CRITICAL (9.8)

Vulnerability Description

Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote attackers to obtain access by leveraging situations in which this warning was not heeded. NOTE: the vendor states "The user is presented with clear warnings on the GUI that they should set usernames and passwords."

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Netvu	Dv-Ip Express Firmware	-
Netvu	Dv-Ip Express	-
Netvu	Sd-Advanced - Sdhd Firmware	-
Netvu	Sd-Advanced - Sdhd	All versions
Netvu	Sd-Advanced 8\/12\/16 Vga Firmware	-
Netvu	Sd-Advanced 8\/12\/16 Vga	-
Netvu	Sd Advanced Closed Iptv \(M3U\) Firmware	-
Netvu	Sd Advanced Closed Iptv \(M3U\)	-
Netvu	Sd Advanced Non Closed Iptv \(M3U\) Firmware	-
Netvu	Sd Advanced Non Closed Iptv \(M3U\)	-
Netvu	Sd Advanced Nvr Firmware	-
Netvu	Sd Advanced Nvr	-
Netvu	Sd 32 \(M3G\) Firmware	-
Netvu	Sd 32 \(M3G\)	-
Netvu	Sd 32 \(M3H\) Firmware	-
Netvu	Sd 32 \(M3H\)	-
Netvu	Sd 4 \(M3S\) Firmware	-
Netvu	Sd 4 \(M3S\)	-
Netvu	Sd 4 \(M3T\) Firmware	-
Netvu	Sd 4 \(M3T\)	-

Related Weaknesses (CWE)

CWE-269

References

http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sExploitThird Party Advisory
http://www.kb.cert.org/vuls/id/276148Third Party AdvisoryUS Government Resource
http://cybergibbons.com/security-2/shodan-searches/interesting-shodan-searches-sExploitThird Party Advisory
http://www.kb.cert.org/vuls/id/276148Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2015-2909?

CVE-2015-2909 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Dedicated Micros DV-IP Express, SD Advanced, SD, EcoSense, and DS2 devices rely on a GUI warning to help ensure that the administrator configures login credentials, which makes it easier for remote at...

How severe is CVE-2015-2909?

CVE-2015-2909 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2015-2909?

Check the references section above for vendor advisories and patch information. Affected products include: Netvu Dv-Ip Express Firmware, Netvu Dv-Ip Express, Netvu Sd-Advanced - Sdhd Firmware, Netvu Sd-Advanced - Sdhd, Netvu Sd-Advanced 8\/12\/16 Vga Firmware.