CVE-2023-49115 - Vulnerability Details - OpenCVE

MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Machinesense	Feverwarn Feverwarn Firmware

Configuration 1 [-]

AND

cpe:2.3:o:machinesense:feverwarn_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:machinesense:feverwarn:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://machinesense.com/pages/about-machinesense
https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-02-01T22:28:08.697Z

Updated: 2024-08-02T21:46:28.903Z

Reserved: 2023-11-30T20:38:25.995Z

Link: CVE-2023-49115

Vulnrichment

Updated: 2024-08-02T21:46:28.903Z

NVD

Status : Modified

Published: 2024-02-01T23:15:09.773

Modified: 2024-11-21T08:32:51.937

Link: CVE-2023-49115

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49115", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-11-30T20:38:25.995Z", "datePublished": "2024-02-01T22:28:08.697Z", "dateUpdated": "2024-08-02T21:46:28.903Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "FeverWarn", "vendor": "MachineSense", "versions": [{"status": "affected", "version": "ESP32"}, {"status": "affected", "version": "RaspberryPi"}, {"status": "affected", "version": "DataHub RaspberryPi"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Vera Mens of Claroty Research reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.</span>\n\n</span>\n\n</span>\n\n</span>\n\n"}], "value": "\n\n\n\n\n\n\nMachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.\n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-01T22:28:08.697Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01"}, {"url": "https://machinesense.com/pages/about-machinesense"}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "title": "MachineSense FeverWarn Missing Authentication for Critical Function", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">FeverWarn and the associated cloud service were pandemic-specific products for elevated body temperature scanning, discontinued by MachineSense prior to the end of the pandemic. They are no longer available, and there will be no future availability or upgrades. MachineSense is not aware of any current users of FeverWarn. Users of the affected product are encouraged to </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://machinesense.com/pages/about-machinesense\">contact MachineSense</a><span style=\"background-color: rgb(255, 255, 255);\"> for additional information.</span>\n\n<br>"}], "value": "\nFeverWarn and the associated cloud service were pandemic-specific products for elevated body temperature scanning, discontinued by MachineSense prior to the end of the pandemic. They are no longer available, and there will be no future availability or upgrades. MachineSense is not aware of any current users of FeverWarn. Users of the affected product are encouraged to contact MachineSense https://machinesense.com/pages/about-machinesense \u00a0for additional information.\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "machinesense", "product": "feverwarn", "cpes": ["cpe:2.3:h:machinesense:feverwarn:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "esp32", "status": "affected"}, {"version": "raspberrypi", "status": "affected"}, {"version": "datahub_raspberrypi", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-28T16:49:31.121618Z", "id": "CVE-2023-49115", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-28T16:50:38.247Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:28.903Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01", "tags": ["x_transferred"]}, {"url": "https://machinesense.com/pages/about-machinesense", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01", "tags": ["x_transferred"]}, {"url": "https://machinesense.com/pages/about-machinesense", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:28.903Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-49115", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-28T16:49:31.121618Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:machinesense:feverwarn:-:*:*:*:*:*:*:*"], "vendor": "machinesense", "product": "feverwarn", "versions": [{"status": "affected", "version": "esp32"}, {"status": "affected", "version": "raspberrypi"}, {"status": "affected", "version": "datahub_raspberrypi"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T14:04:32.690Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "MachineSense FeverWarn Missing Authentication for Critical Function", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Vera Mens of Claroty Research reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MachineSense", "product": "FeverWarn", "versions": [{"status": "affected", "version": "ESP32"}, {"status": "affected", "version": "RaspberryPi"}, {"status": "affected", "version": "DataHub RaspberryPi"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01"}, {"url": "https://machinesense.com/pages/about-machinesense"}], "workarounds": [{"lang": "en", "value": "\nFeverWarn and the associated cloud service were pandemic-specific products for elevated body temperature scanning, discontinued by MachineSense prior to the end of the pandemic. They are no longer available, and there will be no future availability or upgrades. MachineSense is not aware of any current users of FeverWarn. Users of the affected product are encouraged to contact MachineSense https://machinesense.com/pages/about-machinesense \u00a0for additional information.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">FeverWarn and the associated cloud service were pandemic-specific products for elevated body temperature scanning, discontinued by MachineSense prior to the end of the pandemic. They are no longer available, and there will be no future availability or upgrades. MachineSense is not aware of any current users of FeverWarn. Users of the affected product are encouraged to </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://machinesense.com/pages/about-machinesense\">contact MachineSense</a><span style=\"background-color: rgb(255, 255, 255);\"> for additional information.</span>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\nMachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.\n\n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.</span>\n\n</span>\n\n</span>\n\n</span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-02-01T22:28:08.697Z"}}}, "cveMetadata": {"cveId": "CVE-2023-49115", "state": "PUBLISHED", "dateUpdated": "2024-08-02T21:46:28.903Z", "dateReserved": "2023-11-30T20:38:25.995Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-02-01T22:28:08.697Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:machinesense:feverwarn_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "45F21168-E7F1-49E4-84B0-0B4EB9C6DE50", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:machinesense:feverwarn:-:*:*:*:*:*:*:*", "matchCriteriaId": "489AD7C3-7648-4398-BA27-450E909171EC", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [{"sourceIdentifier": "ics-cert@hq.dhs.gov", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\nMachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "Los dispositivos MachineSense utilizan mensajes MQTT no autenticados para monitorear dispositivos y la visualizaci\u00f3n remota de datos de sensores por parte de los usuarios."}], "id": "CVE-2023-49115", "lastModified": "2024-11-21T08:32:51.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-01T23:15:09.773", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://machinesense.com/pages/about-machinesense"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://machinesense.com/pages/about-machinesense"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}