CVE-2023-24022 - OpenCVE

Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Baicells	Nova233 Rtd Firmware Rts Firmware Nova227 Nova243

Configuration 1 [-]

AND

OR	cpe:2.3:o:baicells:rtd_firmware::::::::
	cpe:2.3:o:baicells:rts_firmware::::::::

OR	cpe:2.3:h:baicells:nova227:-:::::::*
	cpe:2.3:h:baicells:nova233:-:::::::*
	cpe:2.3:h:baicells:nova243:-:::::::*

References

Link	Resource
https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability	Patch Vendor Advisory
https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG	Release Notes Vendor Advisory
https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Baicells

Published: 2023-01-24T15:51:17.731Z

Updated: 2023-01-26T06:03:10.975661Z

Reserved: 2023-01-20T19:38:53.748Z

Link: CVE-2023-24022

JSON object: View

NVD Information

Status : Modified

Published: 2023-01-26T21:18:15.593

Modified: 2023-11-07T04:08:15.733

Link: CVE-2023-24022

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-24022", "assignerOrgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7", "state": "PUBLISHED", "assignerShortName": "Baicells", "dateReserved": "2023-01-20T19:38:53.748Z", "datePublished": "2023-01-24T15:51:17.731Z", "dateUpdated": "2023-01-26T06:03:10.975661Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "3.7.11.3", "platforms": ["RTS"], "product": "Nova 227", "vendor": "Baicells", "versions": [{"changes": [{"at": "3.7.11.6", "status": "unaffected"}], "lessThanOrEqual": "3.7.11.3", "status": "affected", "version": "0", "versionType": "patch"}]}, {"defaultStatus": "unaffected", "packageName": "3.7.11.3", "platforms": ["RTS"], "product": "Nova 233", "vendor": "Baicells", "versions": [{"changes": [{"at": "3.7.11.6", "status": "unaffected"}], "lessThanOrEqual": "3.7.11.3", "status": "affected", "version": "0", "versionType": "patch"}]}, {"defaultStatus": "unaffected", "packageName": "3.7.11.3", "platforms": ["RTS"], "product": "Nova 243", "vendor": "Baicells", "versions": [{"changes": [{"at": "3.7.11.6 ", "status": "unaffected"}], "lessThanOrEqual": "3.7.11.3", "status": "affected", "version": "0", "versionType": "patch"}]}], "credits": [{"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Baicells Security Team"}, {"lang": "en", "type": "analyst", "user": "00000000-0000-4000-9000-000000000000", "value": "Baicells Support Manager Blake Volk "}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) </span><br>"}], "value": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) \n"}], "impacts": [{"capecId": "CAPEC-395", "descriptions": [{"lang": "en", "value": "CAPEC-395 Bypassing Electronic Locks and Access Controls"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7", "shortName": "Baicells", "dateUpdated": "2023-01-26T06:03:10.975661Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability"}, {"tags": ["patch"], "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"}, {"tags": ["release-notes"], "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Baicells recommends that all customers currently running an earlier version of RTS/RTD upgrade their products to the 3.7.11.6 firmware.</span><br>"}], "value": "Baicells recommends that all customers currently running an earlier version of RTS/RTD upgrade their products to the 3.7.11.6 firmware.\n"}], "source": {"discovery": "INTERNAL"}, "title": "Hard Coded Credential Crypt Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:baicells:rtd_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "148B43F9-03E6-43FC-9631-94EAFB4497FB", "versionEndExcluding": "3.7.11.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:baicells:rts_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB305C49-EC84-4C16-B961-1DAA3BC6B108", "versionEndExcluding": "3.7.11.6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:baicells:nova227:-:*:*:*:*:*:*:*", "matchCriteriaId": "2FF244C0-5EC5-41ED-8474-23097129A903", "vulnerable": false}, {"criteria": "cpe:2.3:h:baicells:nova233:-:*:*:*:*:*:*:*", "matchCriteriaId": "E9943901-505F-495E-8B83-B6D50E2ECD26", "vulnerable": false}, {"criteria": "cpe:2.3:h:baicells:nova243:-:*:*:*:*:*:*:*", "matchCriteriaId": "B3A7D0D1-2ADE-4EB6-B2C4-060528D60598", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.7.11.3 have hardcoded credentials that are easily discovered and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.) \n"}, {"lang": "es", "value": "Los dispositivos Baicells Nova 227, Nova 233 y Nova 243 LTE TDD eNodeB con firmware hasta RTS/RTD 3.7.11.3 tienen credenciales codificadas que se descubren f\u00e1cilmente y pueden ser utilizadas por atacantes remotos para autenticarse a trav\u00e9s de ssh. (Las credenciales se almacenan en el firmware, cifradas mediante la funci\u00f3n de cripta)."}], "id": "CVE-2023-24022", "lastModified": "2023-11-07T04:08:15.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@baicells.com", "type": "Secondary"}]}, "published": "2023-01-26T21:18:15.593", "references": [{"source": "security@baicells.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://baicells.zendesk.com/hc/en-us/articles/6188324645780-2023-1-17-Hard-Coded-Credential-Crypt-Vulnerability"}, {"source": "security@baicells.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"}, {"source": "security@baicells.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"}], "sourceIdentifier": "security@baicells.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@baicells.com", "type": "Secondary"}]}