CVE-2018-5401 : The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in c

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The devices transmit process control information via unencrypted Modbus communications. Impact: An attacker can exploit this vulnerability to observe information about configurations, settings, what sensors are present and in use, and other information to aid in crafting spoofed messages. Requires access to the network. Affected releases are Auto-Maskin DCU-210E, RP-210E, and Marine Pro Observer Android App. Versions prior to 3.7 on ARMv7.

Published 2018-10-08 15:29:03

Updated 2019-10-09 23:41:18

Source CERT/CC

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2018-5401

Probability of exploitation activity in the next 30 days: 0.27%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 63 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-5401

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
9.1	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	3.9	5.2	CERT/CC
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-5401

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Assigned by:
- cret@cert.org (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2018-5401

https://www.us-cert.gov/ics/advisories/icsa-20-051-04

Auto-Maskin RP210E, DCU210E, and Marine Observer Pro (Android App) | CISA

CVEs referencing this url
https://www.kb.cert.org/vuls/id/176301

VU#176301 - Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App
Third Party Advisory;US Government Resource

CVEs referencing this url

Products affected by CVE-2018-5401

Auto-maskin » Rp 210e Firmware » Version: N/A
cpe:2.3:o:auto-maskin:rp_210e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: ARM » Arm7
When used together with: Auto-maskin » Rp 210e » Version: N/A
Auto-maskin » Dcu 210e Firmware » Version: N/A
cpe:2.3:o:auto-maskin:dcu_210e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: ARM » Arm7
When used together with: Auto-maskin » Dcu 210e » Version: N/A
Auto-maskin » Marine Pro Observer » Version: N/A For Android
cpe:2.3:a:auto-maskin:marine_pro_observer:-:*:*:*:*:android:*:*
Matching versions

Vulnerability Details : CVE-2018-5401

Exploit prediction scoring system (EPSS) score for CVE-2018-5401

CVSS scores for CVE-2018-5401

CWE ids for CVE-2018-5401

References for CVE-2018-5401

Products affected by CVE-2018-5401