CVE-2023-5592 - OpenCVE

Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to download and execute applications without integrity checks on the device which may result in a complete loss of integrity.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Phoenixcontact	Multiprog Proconos Eclr

Configuration 1 [-]

cpe:2.3:a:phoenixcontact:multiprog:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:phoenixcontact:proconos_eclr:*:*:*:*:*:*:*:*

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2023-054/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: CERTVDE

Published: 2023-12-14T14:04:41.083Z

Updated: 2023-12-14T14:04:41.083Z

Reserved: 2023-10-16T05:31:39.868Z

Link: CVE-2023-5592

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-14T14:15:45.427

Modified: 2023-12-21T17:16:30.290

Link: CVE-2023-5592

JSON object: View

Redhat Information

No data.

CWE

CWE-494

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5592", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2023-10-16T05:31:39.868Z", "datePublished": "2023-12-14T14:04:41.083Z", "dateUpdated": "2023-12-14T14:04:41.083Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MULTIPROG", "vendor": "PHOENIX CONTACT", "versions": [{"status": "affected", "version": "all"}]}, {"defaultStatus": "unaffected", "product": "ProConOS eCLR (SDK)", "vendor": "PHOENIX CONTACT", "versions": [{"status": "affected", "version": "all"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Reid Wightman of Dragos, Inc."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to download and execute applications without integrity checks on the device which may result in a complete loss of integrity."}], "value": "Download of Code Without Integrity Check vulnerability in PHOENIX CONTACT MULTIPROG, PHOENIX CONTACT ProConOS eCLR (SDK) allows an unauthenticated remote attacker to download and execute applications without integrity checks on the device which may result in a complete loss of integrity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "description": "CWE-494 Download of Code Without Integrity Check", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2023-12-14T14:04:41.083Z"}, "references": [{"url": "https://cert.vde.com/en/advisories/VDE-2023-054/"}], "source": {"advisory": "VDE-2023-051", "defect": ["CERT@VDE#64360"], "discovery": "EXTERNAL"}, "title": "Phoenix Contact: ProConOs prone to Download of Code Without Integrity Check", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}