CVE-2023-3769 - OpenCVE

Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ingeteam	Ingepac Fc5066 Ingepac Fc5066 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:5.3.1.1:::::::*
	cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:6.1.1.22:::::::*
	cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:9.0.22.6:::::::*

cpe:2.3:h:ingeteam:ingepac_fc5066:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products

History

Fri, 20 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-10-02T13:01:03.985Z

Updated: 2024-09-20T14:56:18.313Z

Reserved: 2023-07-19T11:41:49.204Z

Link: CVE-2023-3769

Vulnrichment

Updated: 2024-08-02T07:08:49.937Z

NVD

Status : Analyzed

Published: 2023-10-02T14:15:10.017

Modified: 2023-10-04T13:16:45.607

Link: CVE-2023-3769

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3769", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-07-19T11:41:49.204Z", "datePublished": "2023-10-02T13:01:03.985Z", "dateUpdated": "2024-09-20T14:56:18.313Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "INGEPAC FC5066", "vendor": "Ingeteam", "versions": [{"status": "affected", "version": "9.0.22.6+6.1.1.22+5.3.1.1"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez and Gabriel V\u00eda Echezarreta."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services."}], "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services."}], "impacts": [{"capecId": "CAPEC-10", "descriptions": [{"lang": "en", "value": "CAPEC-10 Buffer Overflow via Environment Variables"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-23T10:15:07.508Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "9.8.30.0 version and later.<br>"}], "value": "9.8.30.0 version and later.\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Vulnerability in Ingeteam's INGEPAC EF ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:49.937Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "ingeteam", "product": "ingepac_fc5066", "cpes": ["cpe:2.3:h:ingeteam:ingepac_fc5066:-:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "9.0.22.6+6.1.1.22+5.3.1.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-20T14:54:52.752058Z", "id": "CVE-2023-3769", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T14:56:18.313Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:08:49.937Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3769", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-20T14:54:52.752058Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:ingeteam:ingepac_fc5066:-:*:*:*:*:*:*:*"], "vendor": "ingeteam", "product": "ingepac_fc5066", "versions": [{"status": "affected", "version": "9.0.22.6+6.1.1.22+5.3.1.1"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-20T14:56:12.917Z"}}], "cna": {"title": "Vulnerability in Ingeteam's INGEPAC EF ", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Aar\u00f3n Flecha Men\u00e9ndez and Gabriel V\u00eda Echezarreta."}], "impacts": [{"capecId": "CAPEC-10", "descriptions": [{"lang": "en", "value": "CAPEC-10 Buffer Overflow via Environment Variables"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ingeteam", "product": "INGEPAC FC5066", "versions": [{"status": "affected", "version": "9.0.22.6+6.1.1.22+5.3.1.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "9.8.30.0 version and later.\n", "supportingMedia": [{"type": "text/html", "value": "9.8.30.0 version and later.<br>", "base64": false}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.", "supportingMedia": [{"type": "text/html", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-23T10:15:07.508Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3769", "state": "PUBLISHED", "dateUpdated": "2024-09-20T14:56:18.313Z", "dateReserved": "2023-07-19T11:41:49.204Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2023-10-02T13:01:03.985Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:5.3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "9A2AF8E2-4307-4EED-8953-C7B399A9400B", "vulnerable": true}, {"criteria": "cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:6.1.1.22:*:*:*:*:*:*:*", "matchCriteriaId": "F9C6C5FB-751D-40C5-96BB-C4BAB5A240A2", "vulnerable": true}, {"criteria": "cpe:2.3:o:ingeteam:ingepac_fc5066_firmware:9.0.22.6:*:*:*:*:*:*:*", "matchCriteriaId": "F1696356-ED01-4C18-B22C-89743EAF3CD9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ingeteam:ingepac_fc5066:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB41D719-A8E1-4D91-8998-FF36D7E5D5FF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect data input validation vulnerability, which could allow an attacker with access to the network to implement fuzzing techniques that would allow him to gain knowledge about specially crafted packets that would create a DoS condition through the MMS protocol when initiating communication, achieving a complete system reboot of the device and its services."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada de datos incorrecta, que podr\u00eda permitir a un atacante con acceso a la red implementar t\u00e9cnicas de fuzzing que le permitir\u00edan obtener conocimiento sobre paquetes especialmente manipulados que crear\u00edan una condici\u00f3n DoS a trav\u00e9s del protocolo MMS al iniciar la comunicaci\u00f3n, logrando un reinicio completo del sistema del dispositivo y sus servicios."}], "id": "CVE-2023-3769", "lastModified": "2023-10-04T13:16:45.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-10-02T14:15:10.017", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ingeteam-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}