github - ghsa-rpj9-vvgv-g3hf

GHSA-RPJ9-VVGV-G3HF

Vulnerability from github – Published: 2022-05-17 04:37 – Updated: 2025-10-14 00:31

Details

Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-2378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-09-05T17:55:00Z",
    "severity": "HIGH"
  },
  "details": "Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.",
  "id": "GHSA-rpj9-vvgv-g3hf",
  "modified": "2025-10-14T00:31:01Z",
  "published": "2022-05-17T04:37:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2378"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-247-01"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-247-01a"
    },
    {
      "type": "WEB",
      "url": "http://www.sensysnetworks.com/distributors"
    },
    {
      "type": "WEB",
      "url": "http://www.sensysnetworks.com/resources-by-category/#sw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2014-2378 (GCVE-0-2014-2378)

Vulnerability from cvelistv5 – Published: 2014-09-05 17:00 – Updated: 2025-10-13 23:00

Summary

Severity ?

No CVSS data available.

CWE

CWE-494

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	http://www.sensysnetworks.com/resources-by-category/#sw
	http://www.sensysnetworks.com/distributors/

Impacted products

Vendor

Product

Version

Sensys Networks

VSN240-F

Affected: 0 , < VDS 2.10.1 (custom)
Affected: 0 , < VDS 1.8.8 (custom)
Affected: 0 , < TrafficDOT 2.10.3 (custom)

Sensys Networks

VSN240-T

Affected: 0 , < VDS 2.10.1 (custom)
Affected: 0 , < VDS 1.8.8 (custom)
Affected: 0 , < TrafficDOT 2.10.3 (custom)

Credits

Cesar Cerrudo of IOActive

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T10:14:25.782Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-247-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "VSN240-F",
          "vendor": "Sensys Networks",
          "versions": [
            {
              "lessThan": "VDS 2.10.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "VDS 1.8.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "TrafficDOT 2.10.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "VSN240-T",
          "vendor": "Sensys Networks",
          "versions": [
            {
              "lessThan": "VDS 2.10.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "VDS 1.8.8",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "TrafficDOT 2.10.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Cesar Cerrudo of IOActive"
        }
      ],
      "datePublic": "2014-09-04T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.\u003c/p\u003e"
            }
          ],
          "value": "Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "HIGH",
            "accessVector": "ADJACENT_NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:A/AC:H/Au:N/C:C/I:C/A:P",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-494",
              "description": "CWE-494",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-13T23:00:45.632Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-247-01a"
        },
        {
          "url": "http://www.sensysnetworks.com/resources-by-category/#sw"
        },
        {
          "url": "http://www.sensysnetworks.com/distributors/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSensys Networks has produced updated product versions VDS 2.10.1 and \nTrafficDOT 2.10.3 to remediate vulnerabilities identified in their \nVSN240-F and VSN240-T traffic sensors.\u003cbr\u003e\u003c/p\u003e\n\n\u003cp\u003eSensys Networks has released software update VDS 1.8.8, for an older \nmodel access point, to remediate traffic sensor vulnerabilities.\u003c/p\u003e\n\u003cp\u003eThe updated human-machine interface version, TrafficDOT 2.10.3, \nenables encrypted software downloads for sensors and sensor data \nauthentication for access points and access point controller cards using\n updated versions VDS 2.10.1 or VDS 1.8.8.\u003cbr\u003e\u003c/p\u003e\n\n\u003cp\u003eAdditional information about Sensys Networks\u2019 software releases can be found at the following location:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.sensysnetworks.com/resources-by-category/#sw\"\u003ehttp://www.sensysnetworks.com/resources-by-category/#sw\u003c/a\u003e\u003c/p\u003e\u003cp\u003eUpdated\n product versions are available through Sensys Networks\u2019 local \ndistributors. Contact information for their local distributors can be \nfound at the following location:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://www.sensysnetworks.com/distributors/\"\u003ehttp://www.sensysnetworks.com/distributors/\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Sensys Networks has produced updated product versions VDS 2.10.1 and \nTrafficDOT 2.10.3 to remediate vulnerabilities identified in their \nVSN240-F and VSN240-T traffic sensors.\n\n\n\n\nSensys Networks has released software update VDS 1.8.8, for an older \nmodel access point, to remediate traffic sensor vulnerabilities.\n\n\nThe updated human-machine interface version, TrafficDOT 2.10.3, \nenables encrypted software downloads for sensors and sensor data \nauthentication for access points and access point controller cards using\n updated versions VDS 2.10.1 or VDS 1.8.8.\n\n\n\n\nAdditional information about Sensys Networks\u2019 software releases can be found at the following location:\n\n\n http://www.sensysnetworks.com/resources-by-category/#sw \n\nUpdated\n product versions are available through Sensys Networks\u2019 local \ndistributors. Contact information for their local distributors can be \nfound at the following location:\n\n\n http://www.sensysnetworks.com/distributors/"
        }
      ],
      "source": {
        "advisory": "ICSA-14-247-01",
        "discovery": "EXTERNAL"
      },
      "title": "Sensys Networks Traffic Sensor Download of Code Without Integrity Check",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-2378",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-247-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-247-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-2378",
    "datePublished": "2014-09-05T17:00:00",
    "dateReserved": "2014-03-13T00:00:00",
    "dateUpdated": "2025-10-13T23:00:45.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-RPJ9-VVGV-G3HF

CVE-2014-2378 (GCVE-0-2014-2378)

Tags

Sightings

Nomenclature