CVE-2023-40464

Published: Dec 4, 2023Modified: Nov 21, 2024

6.8

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.6 / Impact: 5.2

Source: NVD

Description

Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server.

Affected (1)

Products: Sierrawireless: Aleos

Sierrawireless

1 product

Aleos

Configuration A

1 vulnerable · 7 platform

Vulnerable Software	Affected Versions
Sierrawireless Aleos	Up to 4.16.0

Running on/with	Platform Versions
Sierrawireless Es450	All versions
Sierrawireless Gx450	All versions
Sierrawireless Lx40	All versions
Sierrawireless Lx60	All versions
Sierrawireless Mp70	All versions
Sierrawireless Rv50x	All versions
Sierrawireless Rv55	All versions

Related CWEs

CWE-321

Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs

Source: security@sierrawireless.com

Vendor Advisory

https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.