1. EXECUTIVE SUMMARY
CVSS v3 7.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Ovarro
Equipment: TBox RTUs
Vulnerabilities: Missing Authorization, Use of Broken or Risky Cryptographic Algorithm, Inclusion of Functionality from Untrusted Control Sphere, Insufficient Entropy, Improper Authorization, Plaintext Storage of a Password
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in sensitive system information being exposed and privilege escalation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following firmware versions of TBox RTUs are affected:
TBox MS-CPU32: Version 1.50.598 and prior (CVE-2023-36607, CVE-2023-36609, CVE-2023-36610, CVE-2023-36611)
TBox MS-CPU32-S2: Version 1.50.598 and prior (CVE-2023-36607, CVE-2023-36609, CVE-2023-36610, CVE-2023-36611)
TBox LT2: Version 1.50.598 and prior (CVE-2023-36607, CVE-2023-36609, CVE-2023-36610, CVE-2023-36611)
TBox TG2: Version 1.50.598 and prior (CVE-2023-36607, CVE-2023-36609, CVE-2023-36610, CVE-2023-36611)
TBox RM2: Version 1.50.598 and prior (CVE-2023-36607, CVE-2023-36609, CVE-2023-36610, CVE-2023-36611)
TBox MS-CPU32: Version 1.46 through 1.50.598 (CVE-2023-36608)
TBox MS-CPU32-S2: Version 1.46 through 1.50.598 (CVE-2023-36608)
TBox LT2: Version 1.46 through 1.50.598 (CVE-2023-36608)
TBox TG2: Version 1.46 through 1.50.598 (CVE-2023-36608)
TBox RM2: Version 1.46 through 1.50.598 (CVE-2023-36608)
TBox MS-CPU32: All versions (CVE-2023-3395)
TBox MS-CPU32-S2: All versions (CVE-2023-3395)
TBox LT2: All versions (CVE-2023-3395)
TBox TG2: All versions (CVE-2023-3395)
TBox RM2: All versions (CVE-2023-3395)
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHORIZATION CWE-862
The affected TBox RTUs are missing authorization for running some API commands. An attacker running these commands could reveal sensitive information such as software versions and web server file contents.
Support the originator by clicking the read the rest link below.