Vulnerabilities > CVE-2023-36609 - Inclusion of Functionality from Untrusted Control Sphere vulnerability in Ovarro products

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

ovarro

CWE-829

NVD

Published: 2023-07-03

Updated: 2023-07-10

Summary

The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges.

Vulnerable Configurations

Part	Description	Count
OS	Ovarro Ovarro Tbox MS Cpu32 Firmware - Ovarro Tbox MS Cpu32 S2 Firmware - Ovarro Tbox LT2 Firmware * Ovarro Tbox TG2 Firmware - Ovarro Tbox RM2 Firmware -	5
Hardware	Ovarro Ovarro Tbox MS Cpu32 - Ovarro Tbox MS Cpu32 S2 - Ovarro Tbox LT2 - Ovarro Tbox TG2 - Ovarro Tbox RM2 -	5

Common Weakness Enumeration (CWE)

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03