5.9

CVE-2023-36610

​The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OvarroTbox Ms-cpu32 Firmware Version <= 1.50.598
   OvarroTbox Ms-cpu32 Version-
OvarroTbox Ms-cpu32-s2 Firmware Version <= 1.50.598
   OvarroTbox Ms-cpu32-s2 Version-
OvarroTbox Lt2 Firmware Version <= 1.50.598
   OvarroTbox Lt2 Version-
OvarroTbox Tg2 Firmware Version <= 1.50.598
   OvarroTbox Tg2 Version-
OvarroTbox Rm2 Firmware Version <= 1.50.598
   OvarroTbox Rm2 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.318
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
ics-cert@hq.dhs.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03
Third Party Advisory
US Government Resource
Mitigation