CVE-2022-25218 (GCVE-0-2022-25218)

Vulnerability from cvelistv5 – Published: 2022-03-07 21:50 – Updated: 2024-08-03 04:36
VLAI?
Summary
The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219).
Severity ?
No CVSS data available.
CWE
  • Use of RSA Algorithm without OAEP
Assigner
References
Impacted products
Vendor Product Version
n/a Phicomm Routers Affected: K2 >= 22.5.9.163, K3 >= 21.5.37.246, K3C >= 32.1.15.93, K2P >= 20.4.1.7, K2 A7 >= 22.6.506.28
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:36:06.287Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/research/tra-2022-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Phicomm Routers",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "K2 \u003e= 22.5.9.163, K3 \u003e= 21.5.37.246, K3C \u003e= 32.1.15.93, K2P \u003e= 20.4.1.7, K2 A7 \u003e= 22.6.506.28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \"plaintext\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL\u0027s RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Use of RSA Algorithm without OAEP",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-07T21:50:25",
        "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "shortName": "tenable"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tenable.com/security/research/tra-2022-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnreport@tenable.com",
          "ID": "CVE-2022-25218",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Phicomm Routers",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "K2 \u003e= 22.5.9.163, K3 \u003e= 21.5.37.246, K3C \u003e= 32.1.15.93, K2P \u003e= 20.4.1.7, K2 A7 \u003e= 22.6.506.28"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \"plaintext\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL\u0027s RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Use of RSA Algorithm without OAEP"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tenable.com/security/research/tra-2022-01",
              "refsource": "MISC",
              "url": "https://www.tenable.com/security/research/tra-2022-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
    "assignerShortName": "tenable",
    "cveId": "CVE-2022-25218",
    "datePublished": "2022-03-07T21:50:25",
    "dateReserved": "2022-02-15T00:00:00",
    "dateUpdated": "2024-08-03T04:36:06.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"22.5.9.163\", \"matchCriteriaId\": \"66980EB4-9FEC-451F-93F1-3E275CD6A462\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"26A205A0-3616-4CD9-A7B8-FEA63742ABE9\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"21.5.37.246\", \"matchCriteriaId\": \"4C6D3940-9C77-4A8C-AD55-6857491B43B5\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7FFD131E-E41A-44BD-81B5-A1A10E64D88B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"32.1.15.93\", \"matchCriteriaId\": \"3319332E-25E6-4148-9A57-15FCF51C0413\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D47C172-F2F6-451F-8891-D150DBBA181C\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"22.6.3.20\", \"matchCriteriaId\": \"D4737564-B92D-408E-81EC-598B76EE347F\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C8AE809-CB81-4CEB-B383-0461E3885892\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"20.4.1.7\", \"matchCriteriaId\": \"8CE04942-4274-4A96-95E4-4838AAAC09A2\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F80A65CA-B4F2-4912-B991-1D60869D5CB9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \\\"plaintext\\\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL\u0027s RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219).\"}, {\"lang\": \"es\", \"value\": \"El uso del algoritmo RSA sin OAEP, o cualquier otro esquema de relleno, en telnetd_startup, permite a un atacante no autenticado en la red de \\u00e1rea local lograr un grado significativo de control sobre \\\"texto plano\\\" al que un blob arbitrario de texto cifrado ser\\u00e1 descifrado por la funci\\u00f3n RSA_public_decrypt() de OpenSSL. Esta debilidad permite al atacante manipular las diversas iteraciones de la m\\u00e1quina de estado de inicio de telnetd y eventualmente obtener un shell de root en el dispositivo, mediante un intercambio de paquetes UDP dise\\u00f1ados. En todas las versiones excepto K2 22.5.9.163 y K3C 32.1.15.93 un ataque con \\u00e9xito tambi\\u00e9n requiere la explotaci\\u00f3n de un error de interacci\\u00f3n de byte nulo (CVE-2022-25219)\"}]",
      "id": "CVE-2022-25218",
      "lastModified": "2024-11-21T06:51:49.603",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 9.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-10T17:47:02.133",
      "references": "[{\"url\": \"https://www.tenable.com/security/research/tra-2022-01\", \"source\": \"vulnreport@tenable.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.tenable.com/security/research/tra-2022-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "vulnreport@tenable.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-327\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-25218\",\"sourceIdentifier\":\"vulnreport@tenable.com\",\"published\":\"2022-03-10T17:47:02.133\",\"lastModified\":\"2024-11-21T06:51:49.603\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \\\"plaintext\\\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL\u0027s RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219).\"},{\"lang\":\"es\",\"value\":\"El uso del algoritmo RSA sin OAEP, o cualquier otro esquema de relleno, en telnetd_startup, permite a un atacante no autenticado en la red de \u00e1rea local lograr un grado significativo de control sobre \\\"texto plano\\\" al que un blob arbitrario de texto cifrado ser\u00e1 descifrado por la funci\u00f3n RSA_public_decrypt() de OpenSSL. Esta debilidad permite al atacante manipular las diversas iteraciones de la m\u00e1quina de estado de inicio de telnetd y eventualmente obtener un shell de root en el dispositivo, mediante un intercambio de paquetes UDP dise\u00f1ados. En todas las versiones excepto K2 22.5.9.163 y K3C 32.1.15.93 un ataque con \u00e9xito tambi\u00e9n requiere la explotaci\u00f3n de un error de interacci\u00f3n de byte nulo (CVE-2022-25219)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-327\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"22.5.9.163\",\"matchCriteriaId\":\"66980EB4-9FEC-451F-93F1-3E275CD6A462\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26A205A0-3616-4CD9-A7B8-FEA63742ABE9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"21.5.37.246\",\"matchCriteriaId\":\"4C6D3940-9C77-4A8C-AD55-6857491B43B5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FFD131E-E41A-44BD-81B5-A1A10E64D88B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"32.1.15.93\",\"matchCriteriaId\":\"3319332E-25E6-4148-9A57-15FCF51C0413\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D47C172-F2F6-451F-8891-D150DBBA181C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"22.6.3.20\",\"matchCriteriaId\":\"D4737564-B92D-408E-81EC-598B76EE347F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C8AE809-CB81-4CEB-B383-0461E3885892\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"20.4.1.7\",\"matchCriteriaId\":\"8CE04942-4274-4A96-95E4-4838AAAC09A2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F80A65CA-B4F2-4912-B991-1D60869D5CB9\"}]}]}],\"references\":[{\"url\":\"https://www.tenable.com/security/research/tra-2022-01\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/research/tra-2022-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.