MidnightBSD

Advisories for harman

CVE-2015-8362 HIGH

The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2015-10-12 has a hardcoded password for the BlackWidow account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2016-1984.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
harman amx_firmware 1.3.100
harman amx_firmware 1.2.322
CVE-2016-1984 HIGH

The setUpSubtleUserAccount function in /bin/bw on Harman AMX devices before 2016-01-20 has a hardcoded password for the 1MB@tMaN account, which makes it easier for remote attackers to obtain access via a (1) SSH or (2) HTTP session, a different vulnerability than CVE-2015-8362.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
harman amx_firmware 1.3.100
harman amx_firmware 1.2.322
CVE-2019-11224 MEDIUM

HARMAN AMX MVP5150 v2.87.13 devices allow remote OS Command Injection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
harman amx_mvp5150_firmware 2.87.13
CVE-2019-19556 LOW

An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
harman hermes 1.0
CVE-2019-19557 LOW

A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.9 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-922,

Products Affected

Vendor Product Version
harman hermes 1.0
CVE-2019-19560 LOW

An authentication bypass in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with physical access to device hardware to obtain system information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,

Products Affected

Vendor Product Version
harman hermes 1.5
CVE-2019-19561 LOW

A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.9 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-922,

Products Affected

Vendor Product Version
harman hermes 1.5
CVE-2019-19562 LOW

An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 0.9 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-287,

Products Affected

Vendor Product Version
harman hermes 2.1
CVE-2019-19563 LOW

A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.9 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
harman hermes 2.1