Details of VAR-202308-3626

ID

VAR-202308-3626

CVE

CVE-2023-4299

TITLE

Digi International Made RealPort Protocol Authentication vulnerability using password hashes instead of passwords in

Trust: 0.8

sources: JVNDB: JVNDB-2023-003551

DESCRIPTION

Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment. Digi International Provided by Digi RealPort Protocol The following vulnerabilities exist in. It was * Authentication using password hashes instead of passwords (CWE-836) - CVE-2023-4299If the vulnerability is exploited, it may be affected as follows. It was * Authentication is bypassed and connected devices are accessed by a remote third party

Trust: 1.71

sources: NVD: CVE-2023-4299 // JVNDB: JVNDB-2023-003551 // VULMON: CVE-2023-4299

AFFECTED PRODUCTS

vendor:	digi	model:	portserver ts p mei	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	connectport ts 8\/16	scope:	lt	version:	2.26.2.4	Trust: 1.0
vendor:	digi	model:	wr31	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	connect sp	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	one ia	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	realport	scope:	lte	version:	1.9-40	Trust: 1.0
vendor:	digi	model:	portserver ts mei hardened	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	one iap	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	portserver ts mei	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	portserver ts m mei	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	wr44 r	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	transport wr11 xt	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	portserver ts	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	connect es	scope:	lt	version:	2.26.2.4	Trust: 1.0
vendor:	digi	model:	wr21	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	cm	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	one sp ia	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	one sp	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	realport	scope:	lte	version:	4.8.488.0	Trust: 1.0
vendor:	digi	model:	connectport lts 8\/16\/32	scope:	lt	version:	1.4.9	Trust: 1.0
vendor:	digi	model:	passport	scope:	eq	version:	-	Trust: 1.0
vendor:	digi	model:	connectport ts 8/16	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	transport wr31	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	connect es	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	portserver ts	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	transport wr11xt	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	portserver ts mei hardened	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	connect sp	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	one ia	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	portserver ts p mei	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	one iap family	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	connectport lts 8/16/32	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	one sp ia	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	portserver ts m mei	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	passport console server	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	realport	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	transport wr21	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	one sp	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	portserver ts mei	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	transport wr44 r	scope:	-	version:	-	Trust: 0.8
vendor:	digi	model:	cm console server	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-003551 // NVD: CVE-2023-4299

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-4299
value:	HIGH
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2023-4299
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-4299
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2023-4299
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2023-4299
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2023-4299
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-003551 // NVD: CVE-2023-4299 // NVD: CVE-2023-4299

PROBLEMTYPE DATA

problemtype:	CWE-836	Trust: 1.0
problemtype:	Authentication using password hashes instead of passwords (CWE-836) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-003551 // NVD: CVE-2023-4299

PATCH

title:

RealPort CVEs (PDF)

url:

https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2023-003551

EXTERNAL IDS

db:	NVD	id:	CVE-2023-4299	Trust: 2.7
db:	ICS CERT	id:	ICSA-23-243-04	Trust: 1.9
db:	JVN	id:	JVNVU92217208	Trust: 0.8
db:	JVNDB	id:	JVNDB-2023-003551	Trust: 0.8
db:	VULMON	id:	CVE-2023-4299	Trust: 0.1

sources: VULMON: CVE-2023-4299 // JVNDB: JVNDB-2023-003551 // NVD: CVE-2023-4299

REFERENCES

url:	https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04	Trust: 1.9
url:	https://www.digi.com/getattachment/resources/security/alerts/realport-cves/dragos-disclosure-statement.pdf	Trust: 1.1
url:	https://jvn.jp/vu/jvnvu92217208/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-4299	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/836.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-4299 // JVNDB: JVNDB-2023-003551 // NVD: CVE-2023-4299

SOURCES

db:	VULMON	id:	CVE-2023-4299
db:	JVNDB	id:	JVNDB-2023-003551
db:	NVD	id:	CVE-2023-4299

LAST UPDATE DATE

2024-08-14T14:17:00.104000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-4299	date:	2023-09-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-003551	date:	2024-06-13T07:29:00
db:	NVD	id:	CVE-2023-4299	date:	2023-09-06T20:13:32.917

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-4299	date:	2023-08-31T00:00:00
db:	JVNDB	id:	JVNDB-2023-003551	date:	2023-09-12T00:00:00
db:	NVD	id:	CVE-2023-4299	date:	2023-08-31T21:15:09.183