CVE-2023-28865

{"id": "CVE-2023-28865", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}]}, "published": "2024-08-08T18:15:09.533", "references": [{"url": "https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Matt%20Burch%20-%20Where%E2%80%99s%20the%20Money%20-%20Defeating%20ATM%20Disk%20Encryption-white%20paper.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.dieboldnixdorf.com/en-us/banking/portfolio/software/security/", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-353"}]}], "descriptions": [{"lang": "en", "value": "Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03, and 4.2.0 SR02 fails to validate the directory contents of certain directories (e.g., ensuring the expected hash sum) during the Pre-Boot Authorization (PBA) process. This can be exploited by a physical attacker who is able to manipulate the contents of the system's hard disk."}, {"lang": "es", "value": "Diebold Nixdorf Vynamic Security Suite (VSS) anterior a 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03 y 4.2.0 SR02 no puede validar el contenido del directorio de ciertos directorios (por ejemplo, garantizar la suma hash esperada) durante la fase Pre-Boot Authorization (PBA). Esto puede ser aprovechado por un atacante f\u00edsico que pueda manipular el contenido del disco duro del sistema."}], "lastModified": "2024-08-19T19:04:14.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dieboldnixdorf:vynamic_security_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A0DCAA7-1178-4647-B2D0-4CCC6C12C843", "versionEndExcluding": "3.3.0sr15"}, {"criteria": "cpe:2.3:a:dieboldnixdorf:vynamic_security_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06F82886-CFE8-45C2-8438-2ECEF1EBB323", "versionEndExcluding": "4.0.0sr05", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:dieboldnixdorf:vynamic_security_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE37B991-7D9E-4E50-9162-FF0A9843B7F7", "versionEndExcluding": "4.1.0sr03", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:dieboldnixdorf:vynamic_security_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78335240-1A2E-43F0-89ED-EA2ACB89B926", "versionEndExcluding": "4.2.0sr02", "versionStartIncluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}