CVE-2023-40465 - Vulnerability Details - OpenCVE

Several versions of
ALEOS, including ALEOS 4.16.0, include an opensource

third-party
component which can be exploited from the local

area network,
resulting in a Denial of Service condition for the captive portal.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00002.

Key SSVC decision points have not yet been added.

Vendors	Products
Sierrawireless Subscribe	Aleos Subscribe Es450 Subscribe Gx450 Subscribe Lx40 Subscribe Lx60 Subscribe Mp70 Subscribe Rv50x Subscribe Rv55 Subscribe

Configuration 1 [-]

AND

cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:sierrawireless:es450:-:::::::*
	cpe:2.3:h:sierrawireless:gx450:-:::::::*
	cpe:2.3:h:sierrawireless:lx40:-:::::::*
	cpe:2.3:h:sierrawireless:lx60:-:::::::*
	cpe:2.3:h:sierrawireless:mp70:-:::::::*
	cpe:2.3:h:sierrawireless:rv50x:-:::::::*
	cpe:2.3:h:sierrawireless:rv55:-:::::::*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: SWI

Published: 2023-12-04T23:02:04.103Z

Updated: 2024-08-02T18:31:53.825Z

Reserved: 2023-08-14T20:59:20.798Z

Link: CVE-2023-40465

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-04T23:15:26.247

Modified: 2024-11-21T08:19:31.677

Link: CVE-2023-40465

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40465", "assignerOrgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "state": "PUBLISHED", "assignerShortName": "SWI", "dateReserved": "2023-08-14T20:59:20.798Z", "datePublished": "2023-12-04T23:02:04.103Z", "dateUpdated": "2024-08-02T18:31:53.825Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ALEOS", "vendor": "SierraWireless", "versions": [{"lessThanOrEqual": "4.16", "status": "affected", "version": "4.10", "versionType": "Custom"}, {"lessThanOrEqual": "4.9.8", "status": "affected", "version": "0", "versionType": "Custom"}]}], "datePublic": "2023-11-28T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n\n\n\n\n\n\n\n<p>Several versions of\nALEOS, including ALEOS 4.16.0, include an opensource</p>\n\n<p>third-party\ncomponent which can be exploited from the local</p>\n\n<p>area network,\nresulting in a Denial of Service condition for the captive portal.</p>\n\n\n\n\n\n"}], "value": "\n\n\n\n\n\n\n\n\n\nSeveral versions of\nALEOS, including ALEOS 4.16.0, include an opensource\n\n\n\nthird-party\ncomponent which can be exploited from the local\n\n\n\narea network,\nresulting in a Denial of Service condition for the captive portal.\n\n\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "Remote-Code Execution"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "Denial of Service"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-122", "description": "CWE-122", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "747bec18-acd0-4d99-a5c8-5e366c66ab7e", "shortName": "SWI", "dateUpdated": "2023-12-04T23:02:04.103Z"}, "references": [{"url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper input leads to DoS", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:31:53.825Z"}, "title": "CVE Program Container", "references": [{"url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:*", "matchCriteriaId": "45265DDA-E10F-49D0-B2C6-FC123C42E5AE", "versionEndIncluding": "4.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:sierrawireless:es450:-:*:*:*:*:*:*:*", "matchCriteriaId": "524DF1AE-21F2-4AA6-99E7-6F98304FF845", "vulnerable": false}, {"criteria": "cpe:2.3:h:sierrawireless:gx450:-:*:*:*:*:*:*:*", "matchCriteriaId": "2C12CF71-FE0E-44EA-9F2E-7CFB42E7C216", "vulnerable": false}, {"criteria": "cpe:2.3:h:sierrawireless:lx40:-:*:*:*:*:*:*:*", "matchCriteriaId": "069DD303-C100-4FAF-BD6B-4EE61CBDE9F7", "vulnerable": false}, {"criteria": "cpe:2.3:h:sierrawireless:lx60:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A3B7B3D-1594-434B-8E22-01C67DF54F16", "vulnerable": false}, {"criteria": "cpe:2.3:h:sierrawireless:mp70:-:*:*:*:*:*:*:*", "matchCriteriaId": "007D4629-4BE2-4C7A-AC8B-E87739E22D12", "vulnerable": false}, {"criteria": "cpe:2.3:h:sierrawireless:rv50x:-:*:*:*:*:*:*:*", "matchCriteriaId": "61D3EF27-E823-4E49-BD58-D050EB02D294", "vulnerable": false}, {"criteria": "cpe:2.3:h:sierrawireless:rv55:-:*:*:*:*:*:*:*", "matchCriteriaId": "215BD4AB-8EFD-4F82-ABE4-E7F81AD528C2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\n\nSeveral versions of\nALEOS, including ALEOS 4.16.0, include an opensource\n\n\n\nthird-party\ncomponent which can be exploited from the local\n\n\n\narea network,\nresulting in a Denial of Service condition for the captive portal.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "Varias versiones de ALEOS, incluida ALEOS 4.16.0, incluyen un componente de terceros de c\u00f3digo abierto que puede explotarse desde la red de \u00e1rea local, lo que genera una condici\u00f3n de denegaci\u00f3n de servicio para el portal cautivo."}], "id": "CVE-2023-40465", "lastModified": "2024-11-21T08:19:31.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security@sierrawireless.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-04T23:15:26.247", "references": [{"source": "security@sierrawireless.com", "tags": ["Vendor Advisory"], "url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs"}], "sourceIdentifier": "security@sierrawireless.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-122"}], "source": "security@sierrawireless.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}