fkie_nvd - fkie_cve-2013-4732

FKIE_CVE-2013-4732

Vulnerability from fkie_nvd - Published: 2013-06-30 19:28 - Updated: 2025-04-11 00:51

Severity ?

Summary

The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network. NOTE: VU#662676 states "Monroe Electronics could not reproduce this finding.

References

URL	Tags
cve@mitre.org	http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf	Vendor Advisory
cve@mitre.org	http://www.kb.cert.org/vuls/id/662676	US Government Resource
cve@mitre.org	http://www.kb.cert.org/vuls/id/AAMN-98MU7H	US Government Resource
cve@mitre.org	http://www.kb.cert.org/vuls/id/AAMN-98MUK2	US Government Resource
cve@mitre.org	http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/662676	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/AAMN-98MU7H	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/AAMN-98MUK2	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf	Vendor Advisory

Impacted products

Vendor	Product	Version
digital_alert_systems	dasdec_eas	*
digital_alert_systems	dasdec_eas	2.0-0
digital_alert_systems	dasdec_eas	2.0-1
monroe_electronics	r189_one-net_eas	*
monroe_electronics	r189_one-net_eas	2.0-0
monroe_electronics	r189_one-net_eas	2.0-1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:digital_alert_systems:dasdec_eas:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A6190CC-FD4E-4CF2-81CE-9E108EF4B7B4",
              "versionEndIncluding": "2.0-2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:h:digital_alert_systems:dasdec_eas:2.0-0:*:*:*:*:*:*:*",
              "matchCriteriaId": "308B32AD-1091-4528-964B-7394D54B1D4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:h:digital_alert_systems:dasdec_eas:2.0-1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F56C2F8-B2EC-4A96-898A-EAD3D02B7A6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:h:monroe_electronics:r189_one-net_eas:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "03F1A7BA-78B3-4ED0-947D-2CADF4A981D9",
              "versionEndIncluding": "2.0-2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:h:monroe_electronics:r189_one-net_eas:2.0-0:*:*:*:*:*:*:*",
              "matchCriteriaId": "90C5BDD8-C91B-44EB-870E-FABEFCFA5F7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:h:monroe_electronics:r189_one-net_eas:2.0-1:*:*:*:*:*:*:*",
              "matchCriteriaId": "72D48CEF-FD5C-4547-A1A6-7FBF509AA12A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "disputed"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network.  NOTE: VU#662676 states \"Monroe Electronics could not reproduce this finding."
    },
    {
      "lang": "es",
      "value": "** EN DISPUTA ** El servidor Web de administraci\u00f3n del dispositivo Digital Alert Systems DASDEC EAS hasta v2.0-2 y el dispositivo Monroe Electronics R189 One-Net hasta v2.0-2 use un ID de sesi\u00f3n predecible, lo que permite a los atacantes remotos secuestrar la sesi\u00f3n de los usuarios mediante  EAS utiliza valores de ID de sesi\u00f3n predecibles, lo que hace que sea m\u00e1s f\u00e1cil para los atacantes remotos secuestrar sesiones mediante la captura de datos de red (\"sniffing\"). NOTA: VU#662676 dice que. Monroe Electronics no puede reproducir este hallazgo\""
    }
  ],
  "id": "CVE-2013-4732",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-06-30T19:28:10.173",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/662676"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/662676"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-255"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2013-4732 (GCVE-0-2013-4732)

Vulnerability from cvelistv5 – Published: 2013-06-29 21:00 – Updated: 2024-09-16 17:54

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.kb.cert.org/vuls/id/AAMN-98MU7H	x_refsource_MISC
	http://www.digitalalertsystems.com/pdf/130604-Mon…	x_refsource_MISC
	http://www.kb.cert.org/vuls/id/662676	third-party-advisoryx_refsource_CERT-VN
	http://www.kb.cert.org/vuls/id/AAMN-98MUK2	x_refsource_MISC
	http://www.monroe-electronics.com/MONROE_ELECTRON…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T16:52:27.001Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"
          },
          {
            "name": "VU#662676",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/662676"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network.  NOTE: VU#662676 states \"Monroe Electronics could not reproduce this finding."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-06-29T21:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"
        },
        {
          "name": "VU#662676",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/662676"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"
        }
      ],
      "tags": [
        "disputed"
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2013-4732",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** DISPUTED ** The administrative web server on the Digital Alert Systems DASDEC EAS device through 2.0-2 and the Monroe Electronics R189 One-Net EAS device through 2.0-2 uses predictable session ID values, which makes it easier for remote attackers to hijack sessions by sniffing the network.  NOTE: VU#662676 states \"Monroe Electronics could not reproduce this finding.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H",
              "refsource": "MISC",
              "url": "http://www.kb.cert.org/vuls/id/AAMN-98MU7H"
            },
            {
              "name": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf",
              "refsource": "MISC",
              "url": "http://www.digitalalertsystems.com/pdf/130604-Monroe-Security-PR.pdf"
            },
            {
              "name": "VU#662676",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/662676"
            },
            {
              "name": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2",
              "refsource": "MISC",
              "url": "http://www.kb.cert.org/vuls/id/AAMN-98MUK2"
            },
            {
              "name": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf",
              "refsource": "MISC",
              "url": "http://www.monroe-electronics.com/MONROE_ELECTRONICS_PDF/130604-Monroe-Security-PR.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2013-4732",
    "datePublished": "2013-06-29T21:00:00Z",
    "dateReserved": "2013-06-29T00:00:00Z",
    "dateUpdated": "2024-09-16T17:54:12.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2013-4732

CVE-2013-4732 (GCVE-0-2013-4732)

Tags

Sightings

Nomenclature