As part of Thales commitment to product security, Thales Digital Identity and Security(DIS), Analytics and IoT Solutions (AIS) lists known security updates on this page.

 

19 August 2020

Vulnerabilities on Java module family (CVE-2020-15858)

Thales has become aware of a security vulnerability in the Java embedded platform integrated into the Cinterion® modules.

This security vulnerability could potentially allow attackers with physical access to the device to compromise certain assets stored in the Cinterion® modules’ flash file system such as:

  • Customer Java MIDlet byte code
  • TLS credentials or
  • OTAP configuration data

The CVSS base score of this vulnerability is 6.2, as jointly computed by Thales and the security researchers.

Thales has mitigated this issue through a minor modification of the Java embedded platform, which fixes the directory path access check of the internal flash file system. 

The following products and releases were vulnerable:

  • BGS5 up to and including SW RN 02.000 / ARN 01.001.06
  • EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04
  • ELS61 up to and including SW RN 02.002 / ARN 01.000.04
  • ELS81 up to and including SW RN 05.002 / ARN 01.000.04
  • PLS62 up to and including SW RN 02.000 / ARN 01.000.04

All affected customers have been informed starting Q1 2020.

Thales wishes to thank Grzegorz Wypych and Adam Laurie from X-Force Red for highlighting this issue.