CVE-2022-42787

Severity CVSS v4.0:

Pending analysis

Type:

CWE-330 Use of Insufficiently Random Value

Publication date:

10/11/2022

Last modified:

02/12/2022

Description

Multiple W&T products of the Comserver Series use a small number space for allocating sessions ids. After login of an user an unathenticated remote attacker can brute force the users session id and get access to his account on the the device. As the user needs to log in for the attack to be successful a user interaction is required.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 8.80 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

8.80

Severity 3.x

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:wut:at-modem-emulator_firmware::::::::		1.48 (excluding)
cpe:2.3:h:wut:at-modem-emulator:-:::::::*
cpe:2.3:o:wut:com-server_\+\+_firmware::::::::		1.48 (excluding)
cpe:2.3:h:wut:com-server_\+\+:-:::::::*
cpe:2.3:o:wut:com-server_20ma_firmware::::::::		1.48 (excluding)
cpe:2.3:h:wut:com-server_20ma:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_100basefx_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_100basefx:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_100baselx_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_100baselx:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_19\"_1port_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_19\"_1port:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_19\"_4port_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_19\"_4port:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_compact_firmware::::::::		1.76 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://cert.vde.com/de/advisories/VDE-2022-043

CPE	From	Up to
cpe:2.3:o:wut:at-modem-emulator_firmware::::::::		1.48 (excluding)
cpe:2.3:h:wut:at-modem-emulator:-:::::::*
cpe:2.3:o:wut:com-server_\+\+_firmware::::::::		1.48 (excluding)
cpe:2.3:h:wut:com-server_\+\+:-:::::::*
cpe:2.3:o:wut:com-server_20ma_firmware::::::::		1.48 (excluding)
cpe:2.3:h:wut:com-server_20ma:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_100basefx_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_100basefx:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_100baselx_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_100baselx:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_19\"_1port_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_19\"_1port:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_19\"_4port_firmware::::::::		1.76 (excluding)
cpe:2.3:h:wut:com-server_highspeed_19\"_4port:-:::::::*
cpe:2.3:o:wut:com-server_highspeed_compact_firmware::::::::		1.76 (excluding)