CVE-2023-4462 - OpenCVE

Vendors	Products
Poly	Ccx 400 Ccx 400 Firmware Ccx 600 Ccx 600 Firmware Trio 8800 Trio 8800 Firmware Trio C60 Trio C60 Firmware

Link	Providers
https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html
https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices
https://modzero.com/en/advisories/mz-23-01-poly-voip/
https://modzero.com/en/blog/multiple-vulnerabilities-in-poly-products/
https://support.hp.com/us-en/document/ish_9929296-9929329-16/hpsbpy03896
https://vuldb.com/?ctiid.249255
https://vuldb.com/?id.249255

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4462", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-08-21T17:03:39.985Z", "datePublished": "2023-12-29T09:31:03.494Z", "dateUpdated": "2024-08-02T07:31:05.383Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-01-09T16:16:14.573Z"}, "title": "Poly VVX 601 Web Configuration Application random values", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-330", "lang": "en", "description": "CWE-330 Insufficiently Random Values"}]}], "affected": [{"vendor": "Poly", "product": "Trio 8300", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "Trio 8500", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "Trio 8800", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "Trio C60", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "CCX 350", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "CCX 400", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "CCX 500", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "CCX 505", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "CCX 600", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "CCX 700", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E100", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E220", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E300", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E320", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E350", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E400", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E450", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E500", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "EDGE E550", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 101", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 150", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 201", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 250", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 300", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 301", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 310", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 311", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 350", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 400", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 401", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 410", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 411", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 450", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 500", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 501", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 600", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}, {"vendor": "Poly", "product": "VVX 601", "versions": [{"version": "n/a", "status": "affected"}], "modules": ["Web Configuration Application"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601. This affects an unknown part of the component Web Configuration Application. The manipulation leads to insufficiently random values. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249255."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601 entdeckt. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Komponente Web Configuration Application. Mittels Manipulieren mit unbekannten Daten kann eine insufficiently random values-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "timeline": [{"time": "2023-12-29T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-12-29T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-01-09T17:18:45.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Christoph Wolff", "type": "finder"}, {"lang": "en", "value": "Pascal Zenker", "type": "finder"}], "references": [{"url": "https://vuldb.com/?id.249255", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.249255", "tags": ["signature", "permissions-required"]}, {"url": "https://modzero.com/en/advisories/mz-23-01-poly-voip/", "tags": ["related"]}, {"url": "https://support.hp.com/us-en/document/ish_9929296-9929329-16/hpsbpy03896", "tags": ["related"]}, {"url": "https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices", "tags": ["exploit"]}, {"url": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html", "tags": ["related"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:05.383Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.249255", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.249255", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://modzero.com/en/advisories/mz-23-01-poly-voip/", "tags": ["related", "x_transferred"]}, {"url": "https://support.hp.com/us-en/document/ish_9929296-9929329-16/hpsbpy03896", "tags": ["related", "x_transferred"]}, {"url": "https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices", "tags": ["exploit", "x_transferred"]}, {"url": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html", "tags": ["related", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:poly:ccx_400:-:*:*:*:*:*:*:*", "matchCriteriaId": "74C09FB0-DC34-4F03-8560-B607FB8A5245", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:poly:ccx_400_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E6EF5E6E-D387-4EB1-A533-C005F76F49E0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:poly:ccx_600:-:*:*:*:*:*:*:*", "matchCriteriaId": "8F8D61E7-160F-4E4F-8C73-724DFF3F92C2", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:poly:ccx_600_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "37A9DF12-51BF-4E6A-B753-7481C95F22AD", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:poly:trio_8800:-:*:*:*:*:*:*:*", "matchCriteriaId": "39862A32-5AF6-41F9-9C25-9D68EB3784DC", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:poly:trio_8800_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6307C9DD-572F-44E4-ADCD-205CC1553774", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:poly:trio_c60:-:*:*:*:*:*:*:*", "matchCriteriaId": "6CDD2376-BD9D-4B5E-B776-0F627D09E025", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:poly:trio_c60_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "3CC00989-4E87-48F1-9EC9-53F0AB4F445C", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601. This affects an unknown part of the component Web Configuration Application. The manipulation leads to insufficiently random values. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249255."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Poly CCX 400, CCX 600, Trio 8800 y Trio C60 y clasificada como problem\u00e1tica. Una parte desconocida del componente Web Configuration Application afecta a una parte desconocida. La manipulaci\u00f3n conduce a valores insuficientemente aleatorios. Es posible iniciar el ataque de forma remota. La complejidad de un ataque es bastante alta. Se dice que la explotabilidad es dif\u00edcil. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-249255."}], "id": "CVE-2023-4462", "lastModified": "2024-05-17T02:31:35.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-12-29T10:15:11.100", "references": [{"source": "cna@vuldb.com", "tags": ["Not Applicable"], "url": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html"}, {"source": "cna@vuldb.com", "url": "https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices"}, {"source": "cna@vuldb.com", "url": "https://modzero.com/en/advisories/mz-23-01-poly-voip/"}, {"source": "nvd@nist.gov", "tags": ["Exploit", "Third Party Advisory"], "url": "https://modzero.com/en/blog/multiple-vulnerabilities-in-poly-products/"}, {"source": "cna@vuldb.com", "url": "https://support.hp.com/us-en/document/ish_9929296-9929329-16/hpsbpy03896"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://vuldb.com/?ctiid.249255"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.249255"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "cna@vuldb.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object