Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Multiple security vulnerabilities in Secure Elements Class 5 AVR (EVM) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Multiple security vulnerabilities in Secure Elements Class 5 AVR (EVM)
US-CERT published 19 (!!!) advisories about vulnerabilities in Secure Element's Class 5 AVR (Automated Vulnerability Remediation). The product is also known as C5 EVM (Enterprise Vulnerability Management). It allows auditing, evaluation and compliance with various policies. You can find more information about the product at http://www.secure-elements.com/products/index.htm.

There are too many vulnerabilities to list them here, but they look very bad ? starting from hard-coded user IDs and passwords, over same encryption settings for every message session to typical input validation vulnerabilities.

You can find the complete list at US-CERT's web site; http://www.kb.cert.org/vuls/bypublished.

The vulnerability is reportedly patched in the latest version of the product, C5 EVM 2.8.1.

Thanks to Juha-Matti for reporting this.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!