Executive Summary
Summary | |
---|---|
Title | S2 Security Linear eMerge Access Control System management component vulnerable to unauthenticated factory reset |
Informations | |||
---|---|---|---|
Name | VU#571629 | First vendor Publication | 2010-01-04 |
Vendor | VU-CERT | Last vendor Modification | 2010-04-29 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#571629S2 Security Linear eMerge Access Control System management component vulnerable to unauthenticated factory resetOverviewThe S2 Security Linear eMerge Access Control System management console allows an unauthenticated attacker to perform a factory reset of the management system.I. DescriptionLinear eMerge is an IP-enabled security management and access control system. The product is distributed by Linear LLC, however the product is created by the S2 Security Corporation. Linear eMerge has two types of components. The first is a Linux system that runs a web server and a database. This component is used to configure the access control system through the use of a web browser. The other component are the node controls, which operate building security hardware, such as locks, card readers, elevator buttons, motion detectors, etc.The management component of eMerge can be reset to its factory configuration through the use of a specially crafted URI. No authentication is required. Once this happens, the management component will no longer be functional and will be taken off of the network because it will lose its IP address. If this happens, the node components will continue to operate, but in a standalone configuration. The nodes can continue to operate in this manner indefinitely.
References
Thanks to Shawn Merdinger for reporting this vulnerability. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/571629 |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61481 | eMerge Management Component Crafted HTTP Request Remote DoS eMerge Management Component contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker send a crafted HTTP request, and will result in loss of availability for the service. |