CVE-2013-4734 in R189 One-Net EAS
Summary
by MITRE
dasdec_mkuser on the Digital Alert Systems DASDEC EAS device before 2.0-2 and the Monroe Electronics R189 One-Net EAS device before 2.0-2 generates predictable passwords, which might make it easier for attackers to obtain non-administrative access via unspecified vectors.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified as CVE-2013-4734 affects Digital Alert Systems DASDEC EAS devices running firmware versions prior to 2.0-2 and Monroe Electronics R189 One-Net EAS devices prior to 2.0-2. These emergency alert systems are critical infrastructure components designed to broadcast emergency notifications and alerts to the public through various communication channels including radio and television networks. The flaw resides in the dasdec_mkuser utility which is responsible for creating user accounts within these systems. This vulnerability represents a significant security weakness that could potentially compromise the integrity and availability of emergency communication networks.
The technical nature of this vulnerability stems from the predictable password generation algorithm implemented in the dasdec_mkuser utility. When new user accounts are created on these devices, the system generates passwords using a deterministic method that produces patterns easily recognizable by attackers. This predictable behavior violates fundamental security principles for credential management and creates a pathway for unauthorized access. The vulnerability falls under CWE-1037 which addresses weak password generation algorithms and CWE-259 which covers weak password storage mechanisms. The predictable nature of these passwords makes them susceptible to dictionary attacks, brute force attempts, and social engineering exploitation techniques.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially compromise critical emergency communication infrastructure. Attackers who successfully exploit this vulnerability could gain non-administrative access to these systems, potentially allowing them to modify emergency alert parameters, disrupt alert distribution, or even create false emergency notifications that could cause public panic or confusion. The attack surface is particularly concerning given that these devices are deployed in emergency response scenarios where system integrity is paramount. According to the MITRE ATT&CK framework, this vulnerability maps to T1110.003 for credential guessing and T1078 for valid accounts, representing the techniques that attackers would employ to exploit predictable credential generation.
Security professionals should prioritize patching affected devices to address this vulnerability, as the risk of exploitation increases with the availability of the vulnerable firmware versions. The recommended mitigation strategy involves updating both the DASDEC and R189 devices to firmware versions 2.0-2 or later, which contain fixes for the predictable password generation issue. Additionally, organizations should implement network segmentation to isolate these emergency systems from general network access, employ strong authentication mechanisms, and conduct regular security assessments of critical infrastructure components. The vulnerability highlights the importance of proper entropy in password generation algorithms and underscores the need for robust credential management practices in industrial control systems and emergency communication networks.