CVE-2023-3453 | ByteOS Network

Vulnerability Details :

CVE-2023-3453

Assigner-icscert

Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At-23 Aug, 2023 | 21:14

Updated At-30 Sep, 2024 | 19:13

ETIC Telecom Insecure Default Initialization of Resource

ETIC Telecom RAS versions 4.7.0 and prior the web management portal authentication disabled by default. This could allow an attacker with adjacent network access to alter the configuration of the device or cause a denial-of-service condition.

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:icscert

Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6

Published At:23 Aug, 2023 | 21:14

Updated At:30 Sep, 2024 | 19:13

▼CVE Numbering Authority (CNA)

ETIC Telecom Insecure Default Initialization of Resource

ETIC Telecom RAS versions 4.7.0 and prior the web management portal authentication disabled by default. This could allow an attacker with adjacent network access to alter the configuration of the device or cause a denial-of-service condition.

Affected Products

Vendor

Product

Remote Access Server (RAS)

Default Status

unaffected

Versions

Affected

From 0 through 4.7.0 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-1188	CWE-1188 Insecure Default Initialization of Resource

Type: CWE

CWE ID: CWE-1188

Description: CWE-1188 Insecure Default Initialization of Resource

Metrics

Version	Base score	Base severity	Vector
3.1	7.1	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Solutions

Update to ETIC Telecom RAS: version 4.9.0 or later https://www.etictelecom.com/en/softwares-download/

Workarounds

ETIC Telecom recommends enabling the authentication mechanism on the administration interface. This can be done on the page “> Setup > Security > Administration right” by creating an administrator on the “List of administrators” table, enabling the parameter “Password protect the configuration interface,” then setting the parameter “Protocols to use for configuration” to “HTTPs only”. NOTE: for firmware versions 4.9.0 or later, enabling the administration protection is mandatory after the first product start.

Credits

finder

Haviv Vaizman of OTORIO

finder

Hay Mizrachi of OTORIO

finder

Alik Koldobsky of OTORIO

finder

Ofir Manzur of OTORIO

finder

Nikolay Sokolik of OTORIO

References

Hyperlink	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01	N/A

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01	x_transferred

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:ics-cert@hq.dhs.gov

Published At:23 Aug, 2023 | 22:15

Updated At:28 Dec, 2023 | 19:26

ETIC Telecom RAS versions 4.7.0 and prior the web management portal authentication disabled by default. This could allow an attacker with adjacent network access to alter the configuration of the device or cause a denial-of-service condition.

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.1	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Secondary	3.1	7.1	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Type: Primary

Version: 3.1

Base score: 8.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 7.1

Base severity: HIGH

Vector:

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CPE Matches

etictelecom>>ras-c-100-lw>>-

cpe:2.3:h:etictelecom:ras-c-100-lw:-:*:*:*:*:*:*:*

etictelecom>>ras-e-100>>-

cpe:2.3:h:etictelecom:ras-e-100:-:*:*:*:*:*:*:*

etictelecom>>ras-e-220>>-

cpe:2.3:h:etictelecom:ras-e-220:-:*:*:*:*:*:*:*

etictelecom>>ras-e-400>>-

cpe:2.3:h:etictelecom:ras-e-400:-:*:*:*:*:*:*:*

etictelecom>>ras-ec-220-lw>>-

cpe:2.3:h:etictelecom:ras-ec-220-lw:-:*:*:*:*:*:*:*

etictelecom>>ras-ec-400-lw>>-

cpe:2.3:h:etictelecom:ras-ec-400-lw:-:*:*:*:*:*:*:*

etictelecom>>ras-ec-480-lw>>-

cpe:2.3:h:etictelecom:ras-ec-480-lw:-:*:*:*:*:*:*:*

etictelecom>>ras-ecw-220-lw>>-

cpe:2.3:h:etictelecom:ras-ecw-220-lw:-:*:*:*:*:*:*:*

etictelecom>>ras-ecw-400-lw>>-

cpe:2.3:h:etictelecom:ras-ecw-400-lw:-:*:*:*:*:*:*:*

etictelecom>>ras-ew-100>>-

cpe:2.3:h:etictelecom:ras-ew-100:-:*:*:*:*:*:*:*

etictelecom>>ras-ew-220>>-

cpe:2.3:h:etictelecom:ras-ew-220:-:*:*:*:*:*:*:*

etictelecom>>ras-ew-400>>-

cpe:2.3:h:etictelecom:ras-ew-400:-:*:*:*:*:*:*:*

etictelecom>>rfm-e>>-

cpe:2.3:h:etictelecom:rfm-e:-:*:*:*:*:*:*:*

etictelecom>>remote_access_server_firmware>>Versions up to 4.7.0(inclusive)

cpe:2.3:o:etictelecom:remote_access_server_firmware:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-1188	Primary	ics-cert@hq.dhs.gov

CWE ID: CWE-1188

Type: Primary

Source: ics-cert@hq.dhs.gov

References

Hyperlink	Source	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01	ics-cert@hq.dhs.gov	Patch Third Party Advisory US Government Resource

Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01

Source: ics-cert@hq.dhs.gov

Resource:

Patch

Third Party Advisory

US Government Resource