Vulnerability Details : CVE-2015-8362
The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2015-10-12 has a hardcoded password for the BlackWidow account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2016-1984.
Products affected by CVE-2015-8362
- cpe:2.3:o:harman:amx_firmware:1.2.322:*:*:*:*:*:*:*
- cpe:2.3:o:harman:amx_firmware:1.3.100:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-8362
6.03%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 93 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-8362
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2015-8362
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8362
-
http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html
Page not found | SEC ConsultExploit
-
https://ics-cert.us-cert.gov/advisories/ICSA-16-049-02
AMX Multiple Products Credential Management Vulnerabilities (Update A) | CISA
-
http://seclists.org/fulldisclosure/2016/Jan/63
Full Disclosure: SEC Consult SA-20160121-0 :: Deliberately hidden backdoor account in AMX (Harman Professional) devicesExploit
-
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160121-0_AMX_Deliberately_hidden_backdoor_account_v10.txt
Exploit
-
http://www.securityfocus.com/archive/1/537343/100/0/threaded
SecurityFocus
-
http://www.amx.com/techcenter/firmware.asp?Category=Hot%20Fix%20Files
The page you were looking for doesn't exist (404)
-
http://www.securityfocus.com/bid/81545
Multiple AMX Products CVE-2015-8362 Hardcoded Credentials Security Bypass Vulnerability
-
https://www.kb.cert.org/vuls/id/992624
VU#992624 - Harman AMX multimedia devices contain hard-coded credentialsUS Government Resource
-
http://www.amx.com/techcenter/NXSecurityBrief/
The page you were looking for doesn't exist (404)
Jump to