CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30271
https://notcve.org/view.php?id=CVE-2022-30271
The Motorola ACE1000 RTU through 2022-05-02 ships with a hardcoded SSH private key and initialization scripts (such as /etc/init.d/sshd_service) only generate a new key if no private-key file exists. Thus, this hardcoded key is likely to be used by default. Motorola ACE1000 RTU versiones hasta 02-05-2022, viene con una clave privada SSH embebida y los scripts de inicialización (como /etc/init.d/sshd_service) sólo generan una nueva clave si no se presenta un archivo de clave privada. Por lo tanto, es probable que esta clave embebida sea usada por defecto • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 https://www.forescout.com/blog • CWE-259: Use of Hard-coded Password CWE-798: Use of Hard-coded Credentials •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30272
https://notcve.org/view.php?id=CVE-2022-30272
The Motorola ACE1000 RTU through 2022-05-02 mishandles firmware integrity. It utilizes either the STS software suite or ACE1000 Easy Configurator for performing firmware updates. In case of the Easy Configurator, firmware updates are performed through access to the Web UI where file system, kernel, package, bundle, or application images can be installed. Firmware updates for the Front End Processor (FEP) module are performed via access to the SSH interface (22/TCP), where a .hex file image is transferred and a bootloader script invoked. File system, kernel, package, and bundle updates are supplied as RPM (RPM Package Manager) files while FEP updates are supplied as S-rec files. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 https://www.forescout.com/blog • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30274
https://notcve.org/view.php?id=CVE-2022-30274
The Motorola ACE1000 RTU through 2022-05-02 uses ECB encryption unsafely. It can communicate with an XRT LAN-to-radio gateway by means of an embedded client. Credentials for accessing this gateway are stored after being encrypted with the Tiny Encryption Algorithm (TEA) in ECB mode using a hardcoded key. Similarly, the ACE1000 RTU can route MDLC traffic over Extended Command and Management Protocol (XCMP) and Network Layer (XNL) networks via the MDLC driver. Authentication to the XNL port is protected by TEA in ECB mode using a hardcoded key. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-06 https://www.forescout.com/blog • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3898
https://notcve.org/view.php?id=CVE-2021-3898
Versions of Motorola Ready For and Motorola Device Help Android applications prior to 2021-04-08 do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. Las versiones de las aplicaciones Android de Motorola Ready For y Motorola Device Help anteriores al 08-04-2021, no verifican apropiadamente el certificado del servidor, lo que podría conllevar a que el canal de comunicación fuera accesible para un atacante • https://support.lenovo.com/us/en/product_security/LEN-58311 • CWE-295: Improper Certificate Validation •
CVSS: 4.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-38701
https://notcve.org/view.php?id=CVE-2021-38701
Certain Motorola Solutions Avigilon devices allow XSS in the administrative UI. This affects T200/201 before 4.10.0.68; T290 before 4.4.0.80; T008 before 2.2.0.86; T205 before 4.12.0.62; T204 before 3.28.0.166; and T100, T101, T102, and T103 before 2.6.0.180. Determinados dispositivos Avigilon de Motorola Solutions permiten un ataque de tipo XSS en la interfaz de usuario administrativa. Esto afecta a dispositivos T200/201 versiones anteriores a 4.10.0.68; T290 versiones anteriores a 4.4.0.80; T008 versiones anteriores a 2.2.0.86; T205 versiones anteriores a 4.12.0.62; T204 versiones anteriores a 3.28.0.166; y T100, T101, T102 y T103 versiones anteriores a 2.6.0.180 • https://support.avigilon.com/s/feed/0D54y00006l9eCMCAY https://www.motorolasolutions.com/en_us/about/trust-center/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •