CVE-2022-25219 - OpenCVE

A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218).

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Phicomm	K3 K3c K2 Firmware K2g Firmware K2g K2p Firmware K3 Firmware K2 K2p K3c Firmware

Configuration 1 [-]

AND

cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.tenable.com/security/research/tra-2022-01	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: tenable

Published: 2022-03-07T21:56:51

Updated: 2022-03-07T21:56:51

Reserved: 2022-02-15T00:00:00

Link: CVE-2022-25219

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-10T17:47:02.457

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-25219

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "Phicomm Routers", "vendor": "n/a", "versions": [{"status": "affected", "version": "K3 >= 21.5.37.246, K3C >= 32.1.22.113, K2P >= 20.4.1.7, K2 A7 >= 22.6.506.28, K2G A1 >= 22.6.3.20"}]}], "descriptions": [{"lang": "en", "value": "A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218)."}], "problemTypes": [{"descriptions": [{"description": "Null Byte Interaction Error", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-07T21:56:51", "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.tenable.com/security/research/tra-2022-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnreport@tenable.com", "ID": "CVE-2022-25219", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Phicomm Routers", "version": {"version_data": [{"version_value": "K3 >= 21.5.37.246, K3C >= 32.1.22.113, K2P >= 20.4.1.7, K2 A7 >= 22.6.506.28, K2G A1 >= 22.6.3.20"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Null Byte Interaction Error"}]}]}, "references": {"reference_data": [{"name": "https://www.tenable.com/security/research/tra-2022-01", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2022-01"}]}}}}, "cveMetadata": {"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "assignerShortName": "tenable", "cveId": "CVE-2022-25219", "datePublished": "2022-03-07T21:56:51", "dateReserved": "2022-02-15T00:00:00", "dateUpdated": "2022-03-07T21:56:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "66980EB4-9FEC-451F-93F1-3E275CD6A462", "versionEndIncluding": "22.5.9.163", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*", "matchCriteriaId": "26A205A0-3616-4CD9-A7B8-FEA63742ABE9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C6D3940-9C77-4A8C-AD55-6857491B43B5", "versionEndIncluding": "21.5.37.246", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FFD131E-E41A-44BD-81B5-A1A10E64D88B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3319332E-25E6-4148-9A57-15FCF51C0413", "versionEndIncluding": "32.1.15.93", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*", "matchCriteriaId": "4D47C172-F2F6-451F-8891-D150DBBA181C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4737564-B92D-408E-81EC-598B76EE347F", "versionEndIncluding": "22.6.3.20", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*", "matchCriteriaId": "1C8AE809-CB81-4CEB-B383-0461E3885892", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CE04942-4274-4A96-95E4-4838AAAC09A2", "versionEndIncluding": "20.4.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*", "matchCriteriaId": "F80A65CA-B4F2-4912-B991-1D60869D5CB9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218)."}, {"lang": "es", "value": "Se ha detectado un error de interacci\u00f3n de bytes nulos en el c\u00f3digo que el demonio telnetd_startup usa para construir un par de contrase\u00f1as ef\u00edmeras que permiten a un usuario generar un servicio de telnet en el router, y para asegurar que el servicio de telnet persiste tras el reinicio. Por medio de un intercambio dise\u00f1ado de paquetes UDP, un atacante no autenticado en la red local puede aprovechar este error de interacci\u00f3n de bytes nulos de tal manera que haga que esas contrase\u00f1as ef\u00edmeras sean predecibles (con una probabilidad de 1 en 94). Dado que el atacante debe manipular los datos procesados por la funci\u00f3n RSA_public_decrypt() de OpenSSL, una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad depende del uso de un cifrado RSA sin relleno (CVE-2022-25218)"}], "id": "CVE-2022-25219", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T17:47:02.457", "references": [{"source": "vulnreport@tenable.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2022-01"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}