Multiple vulnerabilities in ATI Emergency Mass Notification Systems

Published: 2018-04-11 15:03:42
Severity Low
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-8862
CVE-2018-8864
CVSSv3 4.6 [CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CWE ID CWE-287
CWE-311
Exploitation vector Local network
Public exploit Not available
Vulnerable software ALERT4000
MHPSS
HPSS32
HPSS16
Vulnerable software versions ALERT4000 -
MHPSS -
HPSS32 -
HPSS16 -
Vendor URL Acoustic Technology

Security Advisory

1) Improper authentication

Description

The vulnerability allows an adjacent attacker to bypass security restrictions on the target system.

The weakness exists due to improper authentication. An adjacent attacker can submit specially crafted malicious radio transmissions, bypass authentication and trigger false alarms.

Remediation

Install update from vendor's website.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01

2) Missing encryption of sensitive data

Description

The vulnerability allows an adjacent attacker to bypass security restrictions on the target system.

The weakness exists due to missing encryption of sensitive data. An adjacent attacker can submit specially crafted malicious radio transmissions and trigger false alarms.

Remediation

Install update from vendor's website.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01

Back to List