CVE-2018-5402

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN

Severity Score

8.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN Impact: An attacker once authenticated can change configurations, upload new configuration files, and upload executable code via file upload for firmware updates. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and the Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7.

Las aplicaciones de Android Auto-Maskin DCU 210E, RP-210E y Marine Pro Observer emplean un servidor web embebido que emplea texto plano para la transmisión del PIN del administrador. Impacto: Una vez autenticado, un atacante puede cambiar las configuraciones, subir nuevos archivos de configuración y subir código ejecutable mediante la subida de archivos para actualizaciones de firmware. Se requiere acceso a la red. Las versiones afectadas son las aplicaciones de Android Auto-Maskin DCU-210E RP-210E y Marine Pro Observer. Versiones anteriores a la 3.7 en ARMv7.

*Credits: Reporters: Brian Satira, Brian Olson, Organization: Project Gunsway

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-01-12 CVE Reserved
2018-10-08 CVE Published
2024-07-16 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-310: Cryptographic Issues
CWE-319: Cleartext Transmission of Sensitive Information

CAPEC

References (2)

URL	Tag	Source
https://www.kb.cert.org/vuls/id/176301	Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-051-04	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Auto-maskin Search vendor "Auto-maskin"	Rp 210e Firmware Search vendor "Auto-maskin" for product "Rp 210e Firmware"	-	-	Affected	in	Arm Search vendor "Arm"	Arm7 Search vendor "Arm" for product "Arm7"	< 3.7 Search vendor "Arm" for product "Arm7" and version " < 3.7"	-	Safe
Auto-maskin Search vendor "Auto-maskin"	Rp 210e Firmware Search vendor "Auto-maskin" for product "Rp 210e Firmware"	-	-	Affected	in	Auto-maskin Search vendor "Auto-maskin"	Rp 210e Search vendor "Auto-maskin" for product "Rp 210e"	-	-	Safe
Auto-maskin Search vendor "Auto-maskin"	Dcu 210e Firmware Search vendor "Auto-maskin" for product "Dcu 210e Firmware"	-	-	Affected	in	Arm Search vendor "Arm"	Arm7 Search vendor "Arm" for product "Arm7"	< 3.7 Search vendor "Arm" for product "Arm7" and version " < 3.7"	-	Safe
Auto-maskin Search vendor "Auto-maskin"	Dcu 210e Firmware Search vendor "Auto-maskin" for product "Dcu 210e Firmware"	-	-	Affected	in	Auto-maskin Search vendor "Auto-maskin"	Dcu 210e Search vendor "Auto-maskin" for product "Dcu 210e"	-	-	Safe
Auto-maskin Search vendor "Auto-maskin"		Marine Pro Observer Search vendor "Auto-maskin" for product "Marine Pro Observer"				-		android		Affected