CVE-2023-31176 - OpenCVE

An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication. See product Instruction Manual Appendix A dated 20230830 for more details.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Selinc	Sel-451 Sel-451 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware::::::::
	cpe:2.3:o:selinc:sel-451_firmware:r326-v0:::::::*
	cpe:2.3:o:selinc:sel-451_firmware:r327-v0:::::::*

cpe:2.3:h:selinc:sel-451:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://selinc.com/support/security-notifications/external-reports/
https://www.nozominetworks.com/blog/

History

No history.

MITRE

Status: PUBLISHED

Assigner: SEL

Published: 2023-11-30T16:53:11.383Z

Updated: 2024-08-02T14:45:25.800Z

Reserved: 2023-04-24T23:20:01.609Z

Link: CVE-2023-31176

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-30T17:15:08.520

Modified: 2023-12-06T00:34:55.520

Link: CVE-2023-31176

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-31176", "assignerOrgId": "5804bb70-792c-43e0-8596-486cc0efe699", "state": "PUBLISHED", "assignerShortName": "SEL", "dateReserved": "2023-04-24T23:20:01.609Z", "datePublished": "2023-11-30T16:53:11.383Z", "dateUpdated": "2024-08-02T14:45:25.800Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SEL-451", "vendor": "Schweitzer Engineering Laboratories", "versions": [{"lessThan": "R315-V4", "status": "affected", "version": "R315-V0", "versionType": "custom"}, {"lessThan": "R316-V4", "status": "affected", "version": "R316-V0", "versionType": "custom"}, {"lessThan": "R317-V4", "status": "affected", "version": "R317-V0", "versionType": "custom"}, {"lessThan": "R318-V5", "status": "affected", "version": "R318-V0", "versionType": "custom"}, {"lessThan": "R320-V3", "status": "affected", "version": "R320-V0", "versionType": "custom"}, {"lessThan": "R321-V3", "status": "affected", "version": "R321-V0", "versionType": "custom"}, {"lessThan": "R322-V3", "status": "affected", "version": "R322-V0", "versionType": "custom"}, {"lessThan": "R323-V5", "status": "affected", "version": "R323-V0", "versionType": "custom"}, {"lessThan": "R324-V4", "status": "affected", "version": "R324-V0", "versionType": "custom"}, {"lessThan": "R325-V3", "status": "affected", "version": "R325-V0", "versionType": "custom"}, {"lessThan": "R326-V1", "status": "affected", "version": "R326-V0", "versionType": "custom"}, {"lessThan": "R327-V1", "status": "affected", "version": "R327-V0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andrea Palanca and Gabriele Quagliarella of Nozomi Networks"}], "datePublic": "2023-11-30T09:56:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication. <br><p>\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.</p>\n\n"}], "value": "An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.\u00a0\n\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "description": "CWE-331 Insufficient Entropy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5804bb70-792c-43e0-8596-486cc0efe699", "shortName": "SEL", "dateUpdated": "2023-11-30T16:53:11.383Z"}, "references": [{"url": "https://selinc.com/support/security-notifications/external-reports/"}, {"url": "https://www.nozominetworks.com/blog/"}], "source": {"discovery": "UNKNOWN"}, "title": "Insufficient entropy vulnerability could lead to authentication bypass", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.800Z"}, "title": "CVE Program Container", "references": [{"url": "https://selinc.com/support/security-notifications/external-reports/", "tags": ["x_transferred"]}, {"url": "https://www.nozominetworks.com/blog/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "567CA071-8A2D-40DD-A3DF-0FD73739476F", "versionEndExcluding": "r315-v4", "versionStartIncluding": "r315-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE50B5EC-2A69-4EA9-A16D-5A0BF38D2861", "versionEndExcluding": "r316-v4", "versionStartIncluding": "r316-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9D6B6F3-8D35-46B5-879C-26F22ED4AA2D", "versionEndExcluding": "r317-v4", "versionStartIncluding": "r317-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DC6FE46-8B20-47D6-8A88-1708978C49D1", "versionEndExcluding": "r318-v5", "versionStartIncluding": "r318-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E3E5B0A-E01A-4A5B-894C-DF83E4E5B23F", "versionEndExcluding": "r320-v3", "versionStartIncluding": "r320-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7505AF51-82AF-4145-B794-CA0B5048DD7E", "versionEndExcluding": "r321-v3", "versionStartIncluding": "r321-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F092F10-4440-4FC4-8B0B-44B86F1742B8", "versionEndExcluding": "r322-v3", "versionStartIncluding": "r322-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B80DF635-298D-45B6-A5F7-71386587E6A8", "versionEndExcluding": "r323-v5", "versionStartIncluding": "r323-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E9473AE-F0E1-49A2-BD2E-CEAC21B5CF9C", "versionEndExcluding": "r324-v4", "versionStartIncluding": "r324-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "77E42746-C95B-476B-8734-0DE9FA1C611C", "versionEndExcluding": "r325-v3", "versionStartIncluding": "r325-v0", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:r326-v0:*:*:*:*:*:*:*", "matchCriteriaId": "8EF1EF31-FFF7-4A3B-8A9F-2BD4CC355CD2", "vulnerable": true}, {"criteria": "cpe:2.3:o:selinc:sel-451_firmware:r327-v0:*:*:*:*:*:*:*", "matchCriteriaId": "B9C7EDD0-52E2-45E7-975C-B194F2902F5D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:selinc:sel-451:-:*:*:*:*:*:*:*", "matchCriteriaId": "9BBDB9B5-DAF0-4A78-88E3-1EB6486F8A13", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.\u00a0\n\n\nSee product Instruction Manual Appendix A dated 20230830 for more details.\n\n\n\n"}, {"lang": "es", "value": "Una vulnerabilidad de entrop\u00eda insuficiente en Schweitzer Engineering Laboratories SEL-451 podr\u00eda permitir que un atacante remoto no autenticado utilice tokens de sesi\u00f3n de fuerza bruta y eluda la autenticaci\u00f3n. Consulte el Ap\u00e9ndice A del Manual de instrucciones del producto con fecha 20230830 para obtener m\u00e1s detalles."}], "id": "CVE-2023-31176", "lastModified": "2023-12-06T00:34:55.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@selinc.com", "type": "Secondary"}]}, "published": "2023-11-30T17:15:08.520", "references": [{"source": "security@selinc.com", "tags": ["Vendor Advisory"], "url": "https://selinc.com/support/security-notifications/external-reports/"}, {"source": "security@selinc.com", "tags": ["Third Party Advisory"], "url": "https://www.nozominetworks.com/blog/"}], "sourceIdentifier": "security@selinc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-331"}], "source": "security@selinc.com", "type": "Secondary"}]}