CVE-2022-26943 - OpenCVE

The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Motorola	Mtm5400 Mtm5400 Firmware Mtm5500 Mtm5500 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://tetraburst.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: NCSC-NL

Published: 2023-10-19T09:34:20.646Z

Updated: 2024-08-03T05:18:38.337Z

Reserved: 2022-03-11T22:19:24.849Z

Link: CVE-2022-26943

Vulnrichment

Updated: 2024-08-03T05:18:38.337Z

NVD

Status : Modified

Published: 2023-10-19T10:15:09.963

Modified: 2023-11-07T03:45:15.897

Link: CVE-2022-26943

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-26943", "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "state": "PUBLISHED", "assignerShortName": "NCSC-NL", "dateReserved": "2022-03-11T22:19:24.849Z", "datePublished": "2023-10-19T09:34:20.646Z", "dateUpdated": "2024-08-03T05:18:38.337Z"}, "containers": {"cna": {"affected": [{"vendor": "Motorola", "product": "Mobile Radio", "versions": [{"version": "MTM5000", "status": "affected"}]}], "title": "Weak PRNG entropy source used for authentication challenge generation in Motorola MTM5000", "descriptions": [{"lang": "en", "value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-338", "description": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "type": "CWE"}]}], "providerMetadata": {"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "shortName": "NCSC-NL", "dateUpdated": "2024-07-15T00:27:54.327174Z"}, "references": [{"name": "TETRA:BURST", "tags": ["related"], "url": "https://tetraburst.com/"}], "credits": [{"lang": "en", "value": "Midnight Blue", "type": "finder"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H"}}]}, "adp": [{"affected": [{"vendor": "motorola", "product": "mtm5000_series_firmware", "cpes": ["cpe:2.3:h:motorola:mtm5000_series_firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T14:13:05.693366Z", "id": "CVE-2022-26943", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T15:28:46.797Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:18:38.337Z"}, "title": "CVE Program Container", "references": [{"name": "TETRA:BURST", "tags": ["related", "x_transferred"], "url": "https://tetraburst.com/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://tetraburst.com/", "name": "TETRA:BURST", "tags": ["related", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:18:38.337Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-26943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-15T14:13:05.693366Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:motorola:mtm5000_series_firmware:*:*:*:*:*:*:*:*"], "vendor": "motorola", "product": "mtm5000_series_firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T15:28:43.196Z"}}], "cna": {"title": "Weak PRNG entropy source used for authentication challenge generation in Motorola MTM5000", "credits": [{"lang": "en", "type": "finder", "value": "Midnight Blue"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Motorola", "product": "Mobile Radio", "versions": [{"status": "affected", "version": "MTM5000"}]}], "references": [{"url": "https://tetraburst.com/", "name": "TETRA:BURST", "tags": ["related"]}], "descriptions": [{"lang": "en", "value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}], "providerMetadata": {"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "shortName": "NCSC-NL", "dateUpdated": "2024-07-15T00:27:54.327174Z"}}}, "cveMetadata": {"cveId": "CVE-2022-26943", "state": "PUBLISHED", "dateUpdated": "2024-08-03T05:18:38.337Z", "dateReserved": "2022-03-11T22:19:24.849Z", "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "datePublished": "2023-10-19T09:34:20.646Z", "assignerShortName": "NCSC-NL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*", "matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."}, {"lang": "es", "value": "Los firmwares de la serie Motorola MTM5000 generan desaf\u00edos de autenticaci\u00f3n TETRA utilizando un PRNG que utiliza un registro de conteo de ticks como \u00fanica fuente de entrop\u00eda. La baja entrop\u00eda del tiempo de arranque y la resiembra limitada del grupo hacen que el desaf\u00edo de autenticaci\u00f3n sea vulnerable a dos ataques. En primer lugar, debido a la entrop\u00eda limitada del grupo de tiempo de arranque, un adversario puede derivar el contenido del grupo de entrop\u00eda mediante una b\u00fasqueda exhaustiva de valores posibles, bas\u00e1ndose en un desaf\u00edo de autenticaci\u00f3n observado. En segundo lugar, un adversario puede utilizar el conocimiento del conjunto de entrop\u00eda para predecir los desaf\u00edos de autenticaci\u00f3n. Como tal, la unidad es vulnerable a CVE-2022-24400."}], "id": "CVE-2022-26943", "lastModified": "2023-11-07T03:45:15.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cert@ncsc.nl", "type": "Secondary"}]}, "published": "2023-10-19T10:15:09.963", "references": [{"source": "cert@ncsc.nl", "tags": ["Technical Description"], "url": "https://tetraburst.com/"}], "sourceIdentifier": "cert@ncsc.nl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-338"}], "source": "cert@ncsc.nl", "type": "Secondary"}]}