CVE-2022-25219 (GCVE-0-2022-25219)

Vulnerability from cvelistv5 – Published: 2022-03-07 21:56 – Updated: 2024-08-03 04:36
VLAI?
Summary
A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218).
Severity ?
No CVSS data available.
CWE
  • Null Byte Interaction Error
Assigner
References
Impacted products
Vendor Product Version
n/a Phicomm Routers Affected: K3 >= 21.5.37.246, K3C >= 32.1.22.113, K2P >= 20.4.1.7, K2 A7 >= 22.6.506.28, K2G A1 >= 22.6.3.20
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:36:05.791Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/research/tra-2022-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Phicomm Routers",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "K3 \u003e= 21.5.37.246, K3C \u003e= 32.1.22.113, K2P \u003e= 20.4.1.7, K2 A7 \u003e= 22.6.506.28, K2G A1 \u003e= 22.6.3.20"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Null Byte Interaction Error",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-07T21:56:51",
        "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "shortName": "tenable"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.tenable.com/security/research/tra-2022-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnreport@tenable.com",
          "ID": "CVE-2022-25219",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Phicomm Routers",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "K3 \u003e= 21.5.37.246, K3C \u003e= 32.1.22.113, K2P \u003e= 20.4.1.7, K2 A7 \u003e= 22.6.506.28, K2G A1 \u003e= 22.6.3.20"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Null Byte Interaction Error"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.tenable.com/security/research/tra-2022-01",
              "refsource": "MISC",
              "url": "https://www.tenable.com/security/research/tra-2022-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
    "assignerShortName": "tenable",
    "cveId": "CVE-2022-25219",
    "datePublished": "2022-03-07T21:56:51",
    "dateReserved": "2022-02-15T00:00:00",
    "dateUpdated": "2024-08-03T04:36:05.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"22.5.9.163\", \"matchCriteriaId\": \"66980EB4-9FEC-451F-93F1-3E275CD6A462\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"26A205A0-3616-4CD9-A7B8-FEA63742ABE9\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"21.5.37.246\", \"matchCriteriaId\": \"4C6D3940-9C77-4A8C-AD55-6857491B43B5\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7FFD131E-E41A-44BD-81B5-A1A10E64D88B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"32.1.15.93\", \"matchCriteriaId\": \"3319332E-25E6-4148-9A57-15FCF51C0413\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D47C172-F2F6-451F-8891-D150DBBA181C\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"22.6.3.20\", \"matchCriteriaId\": \"D4737564-B92D-408E-81EC-598B76EE347F\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C8AE809-CB81-4CEB-B383-0461E3885892\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"20.4.1.7\", \"matchCriteriaId\": \"8CE04942-4274-4A96-95E4-4838AAAC09A2\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F80A65CA-B4F2-4912-B991-1D60869D5CB9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218).\"}, {\"lang\": \"es\", \"value\": \"Se ha detectado un error de interacci\\u00f3n de bytes nulos en el c\\u00f3digo que el demonio telnetd_startup usa para construir un par de contrase\\u00f1as ef\\u00edmeras que permiten a un usuario generar un servicio de telnet en el router, y para asegurar que el servicio de telnet persiste tras el reinicio. Por medio de un intercambio dise\\u00f1ado de paquetes UDP, un atacante no autenticado en la red local puede aprovechar este error de interacci\\u00f3n de bytes nulos de tal manera que haga que esas contrase\\u00f1as ef\\u00edmeras sean predecibles (con una probabilidad de 1 en 94). Dado que el atacante debe manipular los datos procesados por la funci\\u00f3n RSA_public_decrypt() de OpenSSL, una explotaci\\u00f3n con \\u00e9xito de esta vulnerabilidad depende del uso de un cifrado RSA sin relleno (CVE-2022-25218)\"}]",
      "id": "CVE-2022-25219",
      "lastModified": "2024-11-21T06:51:49.703",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 6.9, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-10T17:47:02.457",
      "references": "[{\"url\": \"https://www.tenable.com/security/research/tra-2022-01\", \"source\": \"vulnreport@tenable.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.tenable.com/security/research/tra-2022-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "vulnreport@tenable.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-25219\",\"sourceIdentifier\":\"vulnreport@tenable.com\",\"published\":\"2022-03-10T17:47:02.457\",\"lastModified\":\"2024-11-21T06:51:49.703\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A null byte interaction error has been discovered in the code that the telnetd_startup daemon uses to construct a pair of ephemeral passwords that allow a user to spawn a telnet service on the router, and to ensure that the telnet service persists upon reboot. By means of a crafted exchange of UDP packets, an unauthenticated attacker on the local network can leverage this null byte interaction error in such a way as to make those ephemeral passwords predictable (with 1-in-94 odds). Since the attacker must manipulate data processed by the OpenSSL function RSA_public_decrypt(), successful exploitation of this vulnerability depends on the use of an unpadded RSA cipher (CVE-2022-25218).\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un error de interacci\u00f3n de bytes nulos en el c\u00f3digo que el demonio telnetd_startup usa para construir un par de contrase\u00f1as ef\u00edmeras que permiten a un usuario generar un servicio de telnet en el router, y para asegurar que el servicio de telnet persiste tras el reinicio. Por medio de un intercambio dise\u00f1ado de paquetes UDP, un atacante no autenticado en la red local puede aprovechar este error de interacci\u00f3n de bytes nulos de tal manera que haga que esas contrase\u00f1as ef\u00edmeras sean predecibles (con una probabilidad de 1 en 94). Dado que el atacante debe manipular los datos procesados por la funci\u00f3n RSA_public_decrypt() de OpenSSL, una explotaci\u00f3n con \u00e9xito de esta vulnerabilidad depende del uso de un cifrado RSA sin relleno (CVE-2022-25218)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":6.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"22.5.9.163\",\"matchCriteriaId\":\"66980EB4-9FEC-451F-93F1-3E275CD6A462\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"26A205A0-3616-4CD9-A7B8-FEA63742ABE9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"21.5.37.246\",\"matchCriteriaId\":\"4C6D3940-9C77-4A8C-AD55-6857491B43B5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FFD131E-E41A-44BD-81B5-A1A10E64D88B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"32.1.15.93\",\"matchCriteriaId\":\"3319332E-25E6-4148-9A57-15FCF51C0413\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D47C172-F2F6-451F-8891-D150DBBA181C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"22.6.3.20\",\"matchCriteriaId\":\"D4737564-B92D-408E-81EC-598B76EE347F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C8AE809-CB81-4CEB-B383-0461E3885892\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"20.4.1.7\",\"matchCriteriaId\":\"8CE04942-4274-4A96-95E4-4838AAAC09A2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F80A65CA-B4F2-4912-B991-1D60869D5CB9\"}]}]}],\"references\":[{\"url\":\"https://www.tenable.com/security/research/tra-2022-01\",\"source\":\"vulnreport@tenable.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.tenable.com/security/research/tra-2022-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.