The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges.
References
Link | Resource |
---|---|
https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03 | Mitigation Third Party Advisory US Government Resource |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
History
10 Jul 2023, 16:21
Type | Values Removed | Values Added |
---|---|---|
First Time |
Ovarro tbox Lt2
Ovarro tbox Lt2 Firmware Ovarro tbox Rm2 Firmware Ovarro tbox Tg2 Ovarro tbox Tg2 Firmware Ovarro tbox Ms-cpu32-s2 Firmware Ovarro tbox Rm2 Ovarro tbox Ms-cpu32 Ovarro tbox Ms-cpu32 Firmware Ovarro Ovarro tbox Ms-cpu32-s2 |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
CPE | cpe:2.3:h:ovarro:tbox_lt2:-:*:*:*:*:*:*:* cpe:2.3:o:ovarro:tbox_lt2_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:ovarro:tbox_tg2_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:ovarro:tbox_ms-cpu32:-:*:*:*:*:*:*:* cpe:2.3:o:ovarro:tbox_ms-cpu32_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:ovarro:tbox_ms-cpu32-s2_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:ovarro:tbox_ms-cpu32-s2:-:*:*:*:*:*:*:* cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:* cpe:2.3:o:ovarro:tbox_rm2_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:ovarro:tbox_tg2:-:*:*:*:*:*:*:* |
|
References | (MISC) https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03 - Mitigation, Third Party Advisory, US Government Resource |
03 Jul 2023, 20:31
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-03 20:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-36609
Mitre link : CVE-2023-36609
CVE.ORG link : CVE-2023-36609
JSON object : View
Products Affected
ovarro
- tbox_lt2
- tbox_tg2_firmware
- tbox_ms-cpu32_firmware
- tbox_tg2
- tbox_ms-cpu32
- tbox_rm2
- tbox_lt2_firmware
- tbox_ms-cpu32-s2_firmware
- tbox_ms-cpu32-s2
- tbox_rm2_firmware
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere