American Auto-Matrix Aspect-Nexus Building Automation Front-End up to 2.x Password cleartext storage
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.2 | $0-$5k | 0.00 |
Summary
A vulnerability was found in American Auto-Matrix Aspect-Nexus Building Automation Front-End and Aspect-Matrix Building Automation Front-End up to 2.x and classified as problematic. Affected is an unknown function. Such manipulation leads to cleartext storage (Password). This vulnerability is uniquely identified as CVE-2016-2308. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.
Details
A vulnerability, which was classified as critical, has been found in American Auto-Matrix Aspect-Nexus Building Automation Front-End and Aspect-Matrix Building Automation Front-End up to 2.x (Automation Software). Affected by this issue is an unknown code. The manipulation with an unknown input leads to a cleartext storage vulnerability (Password). Using CWE to declare the problem leads to CWE-312. The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Impacted is confidentiality, integrity, and availability. CVE summarizes:
American Auto-Matrix Aspect-Nexus Building Automation Front-End Solutions application before 3.0.0 and Aspect-Matrix Building Automation Front-End Solutions application store passwords in cleartext, which allows remote attackers to obtain sensitive information by reading a file.
The weakness was disclosed 10/05/2016 (Website). The advisory is shared for download at ics-cert.us-cert.gov. This vulnerability is handled as CVE-2016-2308 since 02/09/2016. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1555.
Upgrading to version 3.0.0 eliminates this vulnerability.
The entry VDB-92431 is pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.6VulDB Meta Temp Score: 8.4
VulDB Base Score: 8.6
VulDB Temp Score: 8.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.6
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: PasswordClass: Cleartext storage / Password
CWE: CWE-312 / CWE-310
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Aspect-Nexus Building Automation Front-End/Aspect-Matrix Building Automation Front-End 3.0.0
Timeline
02/09/2016 🔍10/05/2016 🔍
10/05/2016 🔍
10/06/2016 🔍
05/03/2019 🔍
Sources
Advisory: ics-cert.us-cert.govStatus: Not defined
CVE: CVE-2016-2308 (🔍)
GCVE (CVE): GCVE-0-2016-2308
GCVE (VulDB): GCVE-100-92432
See also: 🔍
Entry
Created: 10/06/2016 09:31Updated: 05/03/2019 08:16
Changes: 10/06/2016 09:31 (49), 05/03/2019 08:16 (10)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.