CVE-2022-25219

A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218).

CVSS v3 8.4 HIGH
CVSS v2.0 6.9 MEDIUM

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.tenable.com/security/research/tra-2022-01	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*

History

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-436~~	NVD-CWE-Other

Information

Published : 2022-03-10 17:47

Updated : 2024-02-28 19:09

NVD link : CVE-2022-25219

Mitre link : CVE-2022-25219

CVE.ORG link : CVE-2022-25219

JSON object : View

Products Affected

phicomm

k3c_firmware
k3_firmware
k3
k2g
k2g_firmware
k2_firmware
k3c
k2p_firmware
k2p
k2

CWE

NVD-CWE-Other

{"id": "CVE-2022-25219", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}]}, "published": "2022-03-10T17:47:02.457", "references": [{"url": "https://www.tenable.com/security/research/tra-2022-01", "tags": ["Exploit", "Third Party Advisory"], "source": "vulnreport@tenable.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218)."}, {"lang": "es", "value": "Se ha detectado un error de interacci\u00f3n de bytes nulos en el c\u00f3digo que el demonio telnetd_startup usa para construir un par de contrase\u00f1as ef\u00edmeras que permiten a un usuario generar un servicio de telnet en el router, y para asegurar que el servicio de telnet persiste tras el reinicio. Por medio de un intercambio dise\u00f1ado de paquetes UDP, un atacante no autenticado en la red local puede aprovechar este error de interacci\u00f3n de bytes nulos de tal manera que haga que esas contrase\u00f1as ef\u00edmeras sean predecibles (con una probabilidad de 1 en 94). Dado que el atacante debe manipular los datos procesados por la funci\u00f3n RSA_public_decrypt() de OpenSSL, una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad depende del uso de un cifrado RSA sin relleno (CVE-2022-25218)"}], "lastModified": "2023-08-08T14:22:24.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66980EB4-9FEC-451F-93F1-3E275CD6A462", "versionEndIncluding": "22.5.9.163"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "26A205A0-3616-4CD9-A7B8-FEA63742ABE9"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C6D3940-9C77-4A8C-AD55-6857491B43B5", "versionEndIncluding": "21.5.37.246"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7FFD131E-E41A-44BD-81B5-A1A10E64D88B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3319332E-25E6-4148-9A57-15FCF51C0413", "versionEndIncluding": "32.1.15.93"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4D47C172-F2F6-451F-8891-D150DBBA181C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4737564-B92D-408E-81EC-598B76EE347F", "versionEndIncluding": "22.6.3.20"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1C8AE809-CB81-4CEB-B383-0461E3885892"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CE04942-4274-4A96-95E4-4838AAAC09A2", "versionEndIncluding": "20.4.1.7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F80A65CA-B4F2-4912-B991-1D60869D5CB9"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "vulnreport@tenable.com"}