CVE-2022-25218
8.1
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.2 / Impact: 5.9
Source: NVD
Description
The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219).
Affected (5)
Products: Phicomm: K2 Firmware, K3 Firmware, K3c Firmware, K2g Firmware, K2p Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 22.5.9.163 |
| Running on/with | Platform Versions |
|---|---|
Phicomm K2 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 21.5.37.246 |
| Running on/with | Platform Versions |
|---|---|
Phicomm K3 | All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 32.1.15.93 |
| Running on/with | Platform Versions |
|---|---|
Phicomm K3c | All versions |
Configuration D
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 22.6.3.20 |
| Running on/with | Platform Versions |
|---|---|
Phicomm K2g | All versions |
Configuration E
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 20.4.1.7 |
| Running on/with | Platform Versions |
|---|---|
Phicomm K2p | All versions |
References (2)
Source: vulnreport@tenable.com
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Timeline
No history available yet.