CVE-2023-3768 - Vulnerability Details - OpenCVE

Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Ingeteam	Ingepac Da3451 Ingepac Da3451 Firmware Ingepac Ef Md Ingepac Ef Md Firmware Ingepac Fc5066 Ingepac Fc5066 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ingeteam:ingepac_da3451_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ingeteam:ingepac_da3451:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ingeteam:ingepac_ef_md_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ingeteam:ingepac_ef_md:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ingeteam:ingepac_fc5066:-:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

1.0.4.0 version (released on 30-09-2021) and later.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products

History

Fri, 20 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-10-02T10:55:39.288Z

Updated: 2024-09-20T16:49:01.471Z

Reserved: 2023-07-19T11:41:48.222Z

Link: CVE-2023-3768

Vulnrichment

Updated: 2024-08-02T07:08:49.809Z

NVD

Status : Modified

Published: 2023-10-02T11:15:50.213

Modified: 2024-11-21T08:18:01.240

Link: CVE-2023-3768

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3768", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-07-19T11:41:48.222Z", "datePublished": "2023-10-02T10:55:39.288Z", "dateUpdated": "2024-09-20T16:49:01.471Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "INGEPAC DA3451", "vendor": "Ingeteam", "versions": [{"status": "affected", "version": "0.29.2.42"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez and Gabriel V\u00eda Echezarreta"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services."}], "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services."}], "impacts": [{"capecId": "CAPEC-10", "descriptions": [{"lang": "en", "value": "CAPEC-10 Buffer Overflow via Environment Variables"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-23T10:14:24.319Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">1.0.4.0 version (released on 30-09-2021) and later.</span></span><br>"}], "value": "\n\n\n1.0.4.0 version (released on 30-09-2021) and later.\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Vulnerability in Ingeteam's INGEPAC EF/DA", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:49.809Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-20T16:48:36.887942Z", "id": "CVE-2023-3768", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T16:49:01.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:49.809Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3768", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-20T16:48:36.887942Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T16:48:57.390Z"}}], "cna": {"title": "Vulnerability in Ingeteam's INGEPAC EF/DA", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez and Gabriel V\u00eda Echezarreta"}], "impacts": [{"capecId": "CAPEC-10", "descriptions": [{"lang": "en", "value": "CAPEC-10 Buffer Overflow via Environment Variables"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ingeteam", "product": "INGEPAC DA3451", "versions": [{"status": "affected", "version": "0.29.2.42"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\n\n\n1.0.4.0 version (released on 30-09-2021) and later.\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">1.0.4.0 version (released on 30-09-2021) and later.</span></span><br>", "base64": false}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.", "supportingMedia": [{"type": "text/html", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-23T10:14:24.319Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3768", "state": "PUBLISHED", "dateUpdated": "2024-09-20T16:49:01.471Z", "dateReserved": "2023-07-19T11:41:48.222Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2023-10-02T10:55:39.288Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ingeteam:ingepac_da3451_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "AB38E74A-28BC-4EA4-B8C1-EFCD09AEC8BE", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ingeteam:ingepac_da3451:-:*:*:*:*:*:*:*", "matchCriteriaId": "6DD52223-F39F-4012-8CF2-55E3404CD410", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ingeteam:ingepac_ef_md_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "59BCB6DD-B431-4027-ABAA-03AE042BC1E0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ingeteam:ingepac_ef_md:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF9F2C3C-C4C4-4A40-8E8B-6FC0B462DD9B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8135BC2-79BA-4FCD-8EDF-05E8C5CBF142", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ingeteam:ingepac_fc5066:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB41D719-A8E1-4D91-8998-FF36D7E5D5FF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada de datos incorrecta, que podr\u00eda permitir a un atacante con acceso a la red implementar t\u00e9cnicas de fuzzing que le permitir\u00edan obtener conocimiento sobre paquetes especialmente manipulados que crear\u00edan una condici\u00f3n DoS a trav\u00e9s del protocolo MMS al iniciar la comunicaci\u00f3n, logrando un reinicio completo del sistema del dispositivo y sus servicios."}], "id": "CVE-2023-3768", "lastModified": "2024-11-21T08:18:01.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-02T11:15:50.213", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}