Lucene search

IcscertVULNRICHMENT:CVE-2023-29155

HistoryNov 20, 2023 - 4:28 p.m.

CVE-2023-29155 Improper Authentication INEA ME RTU

2023-11-2016:28:20

CWE-287

icscert

github.com

inea me rtu

firmware

unauthorized access

authentication

cve-2023-29155

admin-level access

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

total

JSON

Versions of INEA ME RTU firmware 3.36b and prior do not require authentication to the “root” account on the host system of the device. This could allow an attacker to obtain admin-level access to the host system.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:inea:me_rtu_firmware:-:*:*:*:*:*:*:*"
    ],
    "vendor": "inea",
    "product": "me_rtu_firmware",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "3.36b"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-304-02

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

SSVC

Exploitation

none

Automatable

yes

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-29155