{"containers": {"cna": {"affected": [{"product": "Phicomm Routers", "vendor": "n/a", "versions": [{"status": "affected", "version": "K2 >= 22.5.9.163, K3 >= 21.5.37.246, K3C >= 32.1.15.93, K2P >= 20.4.1.7, K2 A7 >= 22.6.506.28"}]}], "descriptions": [{"lang": "en", "value": "The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \"plaintext\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219)."}], "problemTypes": [{"descriptions": [{"description": "Use of RSA Algorithm without OAEP", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-03-07T21:50:25.000Z", "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.tenable.com/security/research/tra-2022-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnreport@tenable.com", "ID": "CVE-2022-25218", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Phicomm Routers", "version": {"version_data": [{"version_value": "K2 >= 22.5.9.163, K3 >= 21.5.37.246, K3C >= 32.1.15.93, K2P >= 20.4.1.7, K2 A7 >= 22.6.506.28"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \"plaintext\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of RSA Algorithm without OAEP"}]}]}, "references": {"reference_data": [{"name": "https://www.tenable.com/security/research/tra-2022-01", "refsource": "MISC", "url": "https://www.tenable.com/security/research/tra-2022-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:06.287Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.tenable.com/security/research/tra-2022-01"}]}]}, "cveMetadata": {"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "assignerShortName": "tenable", "cveId": "CVE-2022-25218", "datePublished": "2022-03-07T21:50:25.000Z", "dateReserved": "2022-02-15T00:00:00.000Z", "dateUpdated": "2024-08-03T04:36:06.287Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "66980EB4-9FEC-451F-93F1-3E275CD6A462", "versionEndIncluding": "22.5.9.163", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2:-:*:*:*:*:*:*:*", "matchCriteriaId": "26A205A0-3616-4CD9-A7B8-FEA63742ABE9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k3_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C6D3940-9C77-4A8C-AD55-6857491B43B5", "versionEndIncluding": "21.5.37.246", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k3:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FFD131E-E41A-44BD-81B5-A1A10E64D88B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k3c_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3319332E-25E6-4148-9A57-15FCF51C0413", "versionEndIncluding": "32.1.15.93", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k3c:-:*:*:*:*:*:*:*", "matchCriteriaId": "4D47C172-F2F6-451F-8891-D150DBBA181C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2g_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4737564-B92D-408E-81EC-598B76EE347F", "versionEndIncluding": "22.6.3.20", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2g:-:*:*:*:*:*:*:*", "matchCriteriaId": "1C8AE809-CB81-4CEB-B383-0461E3885892", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:phicomm:k2p_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CE04942-4274-4A96-95E4-4838AAAC09A2", "versionEndIncluding": "20.4.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:phicomm:k2p:-:*:*:*:*:*:*:*", "matchCriteriaId": "F80A65CA-B4F2-4912-B991-1D60869D5CB9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the \"plaintext\" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219)."}, {"lang": "es", "value": "El uso del algoritmo RSA sin OAEP, o cualquier otro esquema de relleno, en telnetd_startup, permite a un atacante no autenticado en la red de \u00e1rea local lograr un grado significativo de control sobre \"texto plano\" al que un blob arbitrario de texto cifrado ser\u00e1 descifrado por la funci\u00f3n RSA_public_decrypt() de OpenSSL. Esta debilidad permite al atacante manipular las diversas iteraciones de la m\u00e1quina de estado de inicio de telnetd y eventualmente obtener un shell de root en el dispositivo, mediante un intercambio de paquetes UDP dise\u00f1ados. En todas las versiones excepto K2 22.5.9.163 y K3C 32.1.15.93 un ataque con \u00e9xito tambi\u00e9n requiere la explotaci\u00f3n de un error de interacci\u00f3n de byte nulo (CVE-2022-25219)"}], "id": "CVE-2022-25218", "lastModified": "2024-11-21T06:51:49.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T17:47:02.133", "references": [{"source": "vulnreport@tenable.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2022-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2022-01"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}