CVE-2023-28386

Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01	Third Party Advisory US Government Resource
https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf	Release Notes

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:h:control4:ca-1:-:::::::*
	cpe:2.3:h:control4:ca-10:-:::::::*
	cpe:2.3:h:control4:ea-1:-:::::::*
	cpe:2.3:h:control4:ea-3:-:::::::*
	cpe:2.3:h:control4:ea-5:-:::::::*
	cpe:2.3:h:snapone:an-110-rt-2l1w:-:::::::*
	cpe:2.3:h:snapone:an-110-rt-2l1w-wifi:-:::::::*
	cpe:2.3:h:snapone:an-310-rt-4l2w:-:::::::*
	cpe:2.3:h:snapone:ovrc-300-pro:-:::::::*
	cpe:2.3:h:snapone:pakedge_rk-1:-:::::::*
	cpe:2.3:h:snapone:pakedge_rt-3100:-:::::::*
	cpe:2.3:h:snapone:pakedge_wr-1:-:::::::*

cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*

History

No history.

Information

Published : 2023-05-22 20:15

Updated : 2023-05-27 01:59

NVD link : CVE-2023-28386

Mitre link : CVE-2023-28386

CVE.ORG link : CVE-2023-28386

JSON object : View

Products Affected

snapone

orvc
pakedge_wr-1
an-110-rt-2l1w-wifi
an-310-rt-4l2w
an-110-rt-2l1w
pakedge_rt-3100
pakedge_rk-1
ovrc-300-pro

control4

ca-1
ca-10
ea-5
ea-1
ea-3

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2023-28386", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2023-05-22T20:15:10.250", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf", "tags": ["Release Notes"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nSnap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mechanism. The lack of complete PKI system firmware signature could allow attackers to upload arbitrary firmware updates, resulting in code execution.\n\n\n\n\n\n"}], "lastModified": "2023-05-27T01:59:16.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:control4:ca-1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "910274AB-35AF-428C-84D7-36774DEB59D8"}, {"criteria": "cpe:2.3:h:control4:ca-10:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "852189C9-7720-468D-BCE0-28DFC051AEDC"}, {"criteria": "cpe:2.3:h:control4:ea-1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C61FA2AE-A962-4D60-BBCF-751FDB5215B9"}, {"criteria": "cpe:2.3:h:control4:ea-3:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B6310809-0890-4113-837C-0074706B4E6B"}, {"criteria": "cpe:2.3:h:control4:ea-5:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F7ADAAF7-9B0B-4002-8158-FC6B0EAB6055"}, {"criteria": "cpe:2.3:h:snapone:an-110-rt-2l1w:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B5B50505-B496-4172-813E-CA174EE2D4DF"}, {"criteria": "cpe:2.3:h:snapone:an-110-rt-2l1w-wifi:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "04744281-B935-4272-8582-85C6162881F8"}, {"criteria": "cpe:2.3:h:snapone:an-310-rt-4l2w:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CCD83E46-F84F-49F8-9601-ABC03292E0F6"}, {"criteria": "cpe:2.3:h:snapone:ovrc-300-pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F5B44DFB-CC8D-4342-907B-D34F9EAB5CEB"}, {"criteria": "cpe:2.3:h:snapone:pakedge_rk-1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B2982D38-80BF-4041-9F59-D26C152D24D9"}, {"criteria": "cpe:2.3:h:snapone:pakedge_rt-3100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "061055F0-D742-4227-ADC2-1793979F9463"}, {"criteria": "cpe:2.3:h:snapone:pakedge_wr-1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "CF7BD251-BB2F-4C49-8B1E-8EB26580DFDB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*", "vulnerable": true, "matchCriteriaId": "415E3C3D-6B2F-4095-B7F1-E3F777E01172", "versionEndExcluding": "7.3.0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}