SB2018041103 - Multiple vulnerabilities in ATI Emergency Mass Notification Systems
Published: April 11, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper authentication (CVE-ID: CVE-2018-8862)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to bypass security restrictions on the target system.
The weakness exists due to improper authentication. An adjacent attacker can submit specially crafted malicious radio transmissions, bypass authentication and trigger false alarms.
2) Missing encryption of sensitive data (CVE-ID: CVE-2018-8864)
CWE-ID: CWE-311 - Missing Encryption of Sensitive Data
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to bypass security restrictions on the target system.
The weakness exists due to missing encryption of sensitive data. An adjacent attacker can submit specially crafted malicious radio transmissions and trigger false alarms.
Remediation
Install update from vendor's website.