PT-2015-3783 · Toshiba+1 · Toshiba Chec+3

David Odell

Published

2015-06-24

Updated

2015-06-24

CVE-2014-4875

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Toshiba CHEC versions prior to 6.6 build 4014 Toshiba CHEC versions 6.7 prior to build 4329

Description The issue concerns a hardcoded AES key in CreateBossCredentials.jar, which can be exploited by attackers to obtain Back Office System Server (BOSS) DB2 database credentials. This can be achieved by leveraging knowledge of the hardcoded key in conjunction with read access to bossinfo.pro.

Recommendations For versions prior to 6.6 build 4014, update to a version that includes build 4014 or later to resolve the issue. For versions 6.7 prior to build 4329, update to a version that includes build 4329 or later to resolve the issue. As a temporary workaround, consider restricting read access to bossinfo.pro to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-255CWE-200

Related Identifiers

CVE-2014-4875

Affected Products

Boss

Createbosscredentials.Jar

Db2

Toshiba Chec

PT-2015-3783 · Toshiba+1 · Toshiba Chec+3

CVE-2014-4875

Weakness Enumeration

Related Identifiers

Affected Products

References · 3