CVE-2023-43742 - OpenCVE

An authentication bypass in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an unauthenticated attacker to obtain an administrative session via a protection mechanism failure in the authentication function. In normal operation, the Zultys MX Administrator Windows client connects to port 7505 and attempts authentication, submitting the administrator username and password to the server. Upon authentication failure, the server sends a login failure message prompting the client to disconnect. However, if the client ignores the failure message instead and attempts to continue, the server does not forcibly close the connection and processes all subsequent requests from the client as if authentication had been successful.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Zultys	Mx250 Mx-virtual Firmware Mx-se Ii Firmware Mx-e Firmware Mx30 Mx-virtual Mx250 Firmware Mx-se Mx30 Firmware Mx-e Mx-se Ii Mx-se Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:zultys:mx-se_firmware::::::::
	cpe:2.3:o:zultys:mx-se_firmware::::::::

cpe:2.3:h:zultys:mx-se:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:o:zultys:mx-se_ii_firmware::::::::
	cpe:2.3:o:zultys:mx-se_ii_firmware::::::::

cpe:2.3:h:zultys:mx-se_ii:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

OR	cpe:2.3:o:zultys:mx-e_firmware::::::::
	cpe:2.3:o:zultys:mx-e_firmware::::::::

cpe:2.3:h:zultys:mx-e:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

OR	cpe:2.3:o:zultys:mx-virtual_firmware::::::::
	cpe:2.3:o:zultys:mx-virtual_firmware::::::::

cpe:2.3:h:zultys:mx-virtual:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

OR	cpe:2.3:o:zultys:mx250_firmware::::::::
	cpe:2.3:o:zultys:mx250_firmware::::::::

cpe:2.3:h:zultys:mx250:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

OR	cpe:2.3:o:zultys:mx30_firmware::::::::
	cpe:2.3:o:zultys:mx30_firmware::::::::

cpe:2.3:h:zultys:mx30:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2023-0002.md	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-12-08T00:00:00

Updated: 2023-12-08T01:07:43.887358

Reserved: 2023-09-22T00:00:00

Link: CVE-2023-43742

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-08T01:15:07.200

Modified: 2023-12-13T15:41:01.980

Link: CVE-2023-43742

JSON object: View

Redhat Information

No data.

CWE

CWE-287