CVE-2023-41096 (GCVE-0-2023-41096)

Vulnerability from cvelistv5 – Published: 2023-10-26 13:10 – Updated: 2024-09-25 16:23
VLAI?
Summary
Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules) allows potential modification or extraction of network credentials stored in flash. This issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.
Severity ?
6.8 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
silabs.com Ember ZNet SDK Unaffected: 7.3.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:46:11.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-41096",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:46:44.290755Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-17T14:01:22.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "modules": [
            "SecureVault High"
          ],
          "platforms": [
            "32 bit",
            "ARM"
          ],
          "product": "Ember ZNet SDK",
          "repo": "https://github.com/SiliconLabs/gecko_sdk",
          "vendor": "silabs.com",
          "versions": [
            {
              "status": "unaffected",
              "version": "7.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\n allows potential modification or extraction of network credentials stored in flash.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.\u003c/p\u003e"
            }
          ],
          "value": "Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\n allows potential modification or extraction of network credentials stored in flash.\n\n\nThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-458",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-458 Flash Memory Attacks"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-25T16:23:10.406Z",
        "orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
        "shortName": "Silabs"
      },
      "references": [
        {
          "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Keys Stored in Plaintext on Secure Vault High for Silabs Ember ZNet devices",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
    "assignerShortName": "Silabs",
    "cveId": "CVE-2023-41096",
    "datePublished": "2023-10-26T13:10:34.406Z",
    "dateReserved": "2023-08-23T04:17:16.169Z",
    "dateUpdated": "2024-09-25T16:23:10.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:silabs:emberznet_sdk:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"7.3.1.0\", \"matchCriteriaId\": \"B33DB8D2-920F-4929-9C3F-E50CB6E11489\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\\n allows potential modification or extraction of network credentials stored in flash.\\n\\n\\nThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de Falta de Cifrado de Claves de Seguridad en Silicon Labs Ember ZNet SDK de 32 bits, ARM (m\\u00f3dulos SecureVault High) permite una posible modificaci\\u00f3n o extracci\\u00f3n de las credenciales de red almacenadas en la memoria flash. Este problema afecta a Silicon Labs Ember ZNet SDK: 7.3.1 y versiones anteriores.\"}]",
      "id": "CVE-2023-41096",
      "lastModified": "2024-11-21T08:20:33.533",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"product-security@silabs.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.2}]}",
      "published": "2023-10-26T14:15:08.720",
      "references": "[{\"url\": \"https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1\", \"source\": \"product-security@silabs.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}]",
      "sourceIdentifier": "product-security@silabs.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"product-security@silabs.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-312\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-311\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41096\",\"sourceIdentifier\":\"product-security@silabs.com\",\"published\":\"2023-10-26T14:15:08.720\",\"lastModified\":\"2024-11-21T08:20:33.533\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\\n allows potential modification or extraction of network credentials stored in flash.\\n\\n\\nThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de Falta de Cifrado de Claves de Seguridad en Silicon Labs Ember ZNet SDK de 32 bits, ARM (m\u00f3dulos SecureVault High) permite una posible modificaci\u00f3n o extracci\u00f3n de las credenciales de red almacenadas en la memoria flash. Este problema afecta a Silicon Labs Ember ZNet SDK: 7.3.1 y versiones anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"product-security@silabs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"product-security@silabs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-312\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-311\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:silabs:emberznet_sdk:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.3.1.0\",\"matchCriteriaId\":\"B33DB8D2-920F-4929-9C3F-E50CB6E11489\"}]}]}],\"references\":[{\"url\":\"https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1\",\"source\":\"product-security@silabs.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T18:46:11.828Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41096\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T17:46:44.290755Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-17T14:01:19.191Z\"}}], \"cna\": {\"title\": \"Keys Stored in Plaintext on Secure Vault High for Silabs Ember ZNet devices\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-458\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-458 Flash Memory Attacks\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.8, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/SiliconLabs/gecko_sdk\", \"vendor\": \"silabs.com\", \"modules\": [\"SecureVault High\"], \"product\": \"Ember ZNet SDK\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"7.3.2\"}], \"platforms\": [\"32 bit\", \"ARM\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\\n allows potential modification or extraction of network credentials stored in flash.\\n\\n\\nThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\\n allows potential modification or extraction of network credentials stored in flash.\\n\\n\u003cbr\u003e\u003cp\u003eThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-312\", \"description\": \"CWE-312 Cleartext Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"030b2754-1501-44a4-bef8-48be86a33bf4\", \"shortName\": \"Silabs\", \"dateUpdated\": \"2024-09-25T16:23:10.406Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-41096\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-25T16:23:10.406Z\", \"dateReserved\": \"2023-08-23T04:17:16.169Z\", \"assignerOrgId\": \"030b2754-1501-44a4-bef8-48be86a33bf4\", \"datePublished\": \"2023-10-26T13:10:34.406Z\", \"assignerShortName\": \"Silabs\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.