CVE-2023-32348

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN.

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08	Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:teltonika:remote_management_system:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:03

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08 - Third Party Advisory, US Government Resource

Information

Published : 2023-05-22 16:15

Updated : 2024-11-21 08:03

NVD link : CVE-2023-32348

Mitre link : CVE-2023-32348

CVE.ORG link : CVE-2023-32348

JSON object : View

Products Affected

remote_management_system

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2023-32348", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-05-22T16:15:10.340", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08", "tags": ["Third Party Advisory", "US Government Resource"], "source": "[email protected]"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "\nTeltonika\u2019s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices connected to the VPN. The OpenVPN server also allows users to route through it. An attacker could route a connection to a remote server through the OpenVPN server, enabling them to scan and access data from other Teltonika devices connected to the VPN.\n\n"}], "lastModified": "2024-11-21T08:03:09.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:teltonika:remote_management_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBC0B044-049C-4538-A1C6-56B61073AADE", "versionEndExcluding": "4.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}