10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
0.002 Low
EPSS
Percentile
62.3%
Successful exploitation of these vulnerabilities could allow a message queuing telemetry transport (MQTT) command injection, unauthorized disclosure of sensitive device information, and remote code execution. If properly chained, these vulnerabilities could result in an unauthorized remote user fully compromising every cloud-managed InHand Networks device reachable by the cloud.
The following versions of InRouters, an industrial router line, are affected:
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
The affected products use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could allow MQTT command injection.
CVE-2023-22597 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N).
The affected products are vulnerable to operating system (OS) command injection. An unauthorized user with privileged access to the local web interface or the cloud account managing the affected devices could push a specially crafted configuration update file to gain root access. This could lead to remote code execution with root privileges.
CVE-2023-22598 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
3.2.3 USE OF A ONE-WAY HASH WITH A PREDICTABLE SALT CWE-760
The affected products send MQTT credentials in response to HTTP/HTTPS requests from the cloud platform. These credentials are encoded using a hardcoded string into an MD5 hash. This string could be easily calculated by an unauthorized user who spoofed sending an HTTP/HTTPS request to the devices. This could result in the affected devices being temporarily disconnected from the cloud platform and allow the user to receive MQTT commands with potentially sensitive information.
CVE-2023-22599 has been assigned to this vulnerability. A CVSS v3 base score of 7.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L).
3.2.4 IMPROPER ACCESS CONTROL CWE-284
The affected products allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.
CVE-2023-22600 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).
3.2.5 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
The affected products do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.
CVE-2023-22601 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Roni Gavrilov from OTORIO reported these vulnerabilities to CISA.
InHand recommends users update affected device firmware to the most recent version:
To access the updates, users should go to βDocumentation β Firmwareβ on the product page.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22597
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22598
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22599
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22600
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22601
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/330.html
cwe.mitre.org/data/definitions/760.html
cwe.mitre.org/data/definitions/78.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=InHand%20Networks%20InRouter+https://www.cisa.gov/news-events/ics-advisories/icsa-23-012-03
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-012-03&title=InHand%20Networks%20InRouter
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
www.inhandnetworks.com/products/inrouter300.html
www.inhandnetworks.com/products/inrouter615-s.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-012-03
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-012-03
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=InHand%20Networks%20InRouter&body=www.cisa.gov/news-events/ics-advisories/icsa-23-012-03