CVE-2023-22601

Published: Jan 12, 2023Modified: Nov 21, 2024

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform.

Affected (2)

Products: Inhandnetworks: Inrouter302 Firmware, Inrouter615 S Firmware

2 products

Inrouter302 Firmware

Inrouter615 S Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Inrouter302 Firmware	Before 3.5.56

Running on/with	Platform Versions
Inhandnetworks Inrouter302	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Inrouter615 S Firmware	Before 2.3.0.r5542

Running on/with	Platform Versions
Inhandnetworks Inrouter615 S	All versions

Related CWEs

Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References (2)

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.