CVE-2022-47732 - OpenCVE

In Yeastar N412 and N824 Configuration Panel 42.x and 45.x, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device which will change admin password granting access to the device.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Yeastar	N824 Firmware N824 N412 N412 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:yeastar:n824_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:yeastar:n824:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:yeastar:n412_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:yeastar:n412:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.swascan.com/security-advisory-yeastar-n412-and-n824-configuration-panel/	Exploit Technical Description Third Party Advisory
https://www.yeastar.com/n-series-analog-phone-system/	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-20T00:00:00

Updated: 2023-01-20T00:00:00

Reserved: 2022-12-21T00:00:00

Link: CVE-2022-47732

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-01-20T17:15:10.880

Modified: 2023-02-06T19:14:01.360

Link: CVE-2022-47732

JSON object: View

Redhat Information

No data.

CWE

CWE-916

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yeastar:n824_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5E3C0C40-FF41-4FA7-9D1A-5CC26CE703EE", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yeastar:n824:-:*:*:*:*:*:*:*", "matchCriteriaId": "5CAA0551-5F64-4039-985C-264AE0BCF624", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:yeastar:n412_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "70CF7C44-A1C9-4452-BF18-F6DCF6923597", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:yeastar:n412:-:*:*:*:*:*:*:*", "matchCriteriaId": "94B68D27-784F-4B18-BAC4-3A4AC7F16249", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In Yeastar N412 and N824 Configuration Panel 42.x and 45.x, an unauthenticated attacker can create backup file and download it, revealing admin hash, allowing, once cracked, to login inside the Configuration Panel, otherwise, replacing the hash in the archive and restoring it on the device which will change admin password granting access to the device."}], "id": "CVE-2022-47732", "lastModified": "2023-02-06T19:14:01.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-20T17:15:10.880", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://www.swascan.com/security-advisory-yeastar-n412-and-n824-configuration-panel/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.yeastar.com/n-series-analog-phone-system/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-916"}], "source": "nvd@nist.gov", "type": "Primary"}]}