Vulnerabilities > CVE-2023-36610 - Insufficient Entropy vulnerability in Ovarro products

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

high complexity

ovarro

CWE-331

NVD

Published: 2023-07-03

Updated: 2023-11-07

Summary

?The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves.

Vulnerable Configurations

Part	Description	Count
OS	Ovarro Ovarro Tbox MS Cpu32 Firmware - Ovarro Tbox MS Cpu32 S2 Firmware - Ovarro Tbox LT2 Firmware - Ovarro Tbox LT2 Firmware 1.46 Ovarro Tbox LT2 Firmware 1.50.598 Ovarro Tbox TG2 Firmware - Ovarro Tbox RM2 Firmware -	7
Hardware	Ovarro Ovarro Tbox MS Cpu32 - Ovarro Tbox MS Cpu32 S2 - Ovarro Tbox LT2 - Ovarro Tbox TG2 - Ovarro Tbox RM2 -	5

Common Weakness Enumeration (CWE)

CWE-331 - Insufficient Entropy

Common Attack Pattern Enumeration and Classification (CAPEC)

Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03