CVE-2014-5208
CVSS V2 High 7.5
CVSS V3 None
Description
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784.
Overview
- CVE ID
- CVE-2014-5208
- Assigner
- cret@cert.org
- Vulnerability Status
- Analyzed
- Published Version
- 2014-12-22T17:59:00
- Last Modified Date
- 2014-12-22T19:27:03
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| AND | ||||
| cpe:2.3:a:yokogawa:exaopc:*:*:*:*:*:*:*:* | 1 | OR | 3.71.10 | |
| cpe:2.3:h:yokogawa:exaopc:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.01:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.02:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.03:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.04:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.05:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.06:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.07:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.08:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.08.50:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.08.70:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.09:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_cs_3000:r3.09.50:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:yokogawa:centum_cs_3000:-:*:*:*:*:*:*:* | 0 | OR | ||
| AND | ||||
| cpe:2.3:a:yokogawa:centum_vp:*:*:*:*:*:*:*:* | 1 | OR | r4.03.00 | |
| cpe:2.3:a:yokogawa:centum_vp:r5.01.00:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_vp:r5.01.20:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_vp:r5.02.00:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:yokogawa:centum_vp:r5.03.00:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:h:yokogawa:centum_vp:-:*:*:*:*:*:*:* | 0 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:P/I:P/A:P
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- PARTIAL
- Availability Impact
- PARTIAL
- Base Score
- 7.5
- Severity
- HIGH
- Exploitability Score
- 10
- Impact Score
- 6.4
References
| Reference URL | Reference Tags |
|---|---|
| https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access | Exploit |
| https://ics-cert.us-cert.gov/advisories/ICSA-14-260-01A | Third Party Advisory US Government Resource |
| http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0003E.pdf | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2014-5208 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5208 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 10:25:19 | Added to TrackCVE | |||
| 2022-12-02 02:49:29 | cert@cert.org | cret@cert.org | CVE Assigner | updated |
| 2022-12-02 02:49:29 | 2014-12-22T17:59Z | 2014-12-22T17:59:00 | CVE Published Date | updated |
| 2022-12-02 02:49:29 | 2014-12-22T19:27:03 | CVE Modified Date | updated | |
| 2022-12-02 02:49:29 | Analyzed | Vulnerability Status | updated |