5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.007 Low
EPSS
Percentile
80.8%
S2 NetBox and related products do not adequately restrict access to node logs, backups, and employee photographs. A remote, unauthenticated attacker could use information obtained from a vulnerable system to aid in further attacks.
S2 NetBox is a line of “…open architecture, scalable, IP network-ready products for the physical security industry that integrate access control, alarm monitoring, video surveillance, and temperature monitoring.” S2 Netbox systems are operated entirely via a web interface.
The Netbox web server does not properly authenticate access to several directories, allowing an unauthenticated attacker to access network node logs, employee photographs, and backup archives.
Linear (formerly IEI) eMerge is based on S2 Netbox, and Sonitrol eAccess is based on Linear eMerge. eMerge and eAccess may also be affected by this vulnerability.
An unauthenticated, remote attacker can access node logs, backups, and employee photographs. An attacker may be able to crack passwords contained in a backup and gain administrative control over the system. Node logs and employee photographs could provide an attacker with reconnaissance information.
Upgrade or patch
S2 Security has made patches or upgrades available to address this vulnerability for Netbox versions 2.5, 3.3, and 4.0. Please contact S2 or Linear customer support.
Restrict access
Restrict network access to S2 Netbox systems to trusted and authorized hosts and networks. Separate management networks from general purpose user networks. Do not allow access from untrusted networks such as the internet.
251133
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: May 25, 2010
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
The Linear eMerge product is affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23251133 Feedback>).
Notified: March 23, 2010 Updated: May 12, 2010
Affected
S2 Security has made available patches or upgrades available to address this vulnerability in all versions of our product (2.5, 3.3, and 4.0). These are available through Linear Customer Support or S2 Customer Support.
We are not aware of further vendor information regarding this vulnerability.
Updated: July 09, 2010
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Sonitrol eAccess is based on S2 Netbox and may be affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23251133 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
These vulnerabilities were researched and reported by Shawn Merdinger. Thanks to S2 Security for information used in this document.
This document was written by Art Manion.
CVE IDs: | CVE-2010-2466 |
---|---|
Severity Metric: | 2.63 Date Public: |