{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-3453","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","state":"PUBLISHED","assignerShortName":"icscert","dateReserved":"2023-06-28T20:05:19.353Z","datePublished":"2023-08-23T21:14:17.553Z","dateUpdated":"2024-09-30T19:13:47.408Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Remote Access Server (RAS)","vendor":"ETIC Telecom","versions":[{"lessThanOrEqual":"4.7.0","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Haviv Vaizman of OTORIO"},{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Hay Mizrachi of OTORIO"},{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Alik Koldobsky of OTORIO"},{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Ofir Manzur of OTORIO"},{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Nikolay Sokolik of OTORIO"}],"datePublic":"2023-07-27T19:05:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\n<span style=\"background-color: rgb(255, 255, 255);\">ETIC Telecom RAS versions 4.7.0 and prior the web management portal authentication disabled by default. This could allow an attacker with adjacent network access to alter the configuration of the device or cause a denial-of-service condition.</span>\n\n"}],"value":"\nETIC Telecom RAS versions 4.7.0 and prior the web management portal authentication disabled by default. This could allow an attacker with adjacent network access to alter the configuration of the device or cause a denial-of-service condition.\n\n"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1188","description":"CWE-1188 Insecure Default Initialization of Resource","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2023-08-23T21:14:17.553Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to&nbsp;<span style=\"background-color: var(--wht);\">ETIC Telecom RAS: </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.etictelecom.com/en/softwares-download/\">version 4.9.0 or later</a>"}],"value":"Update to ETIC Telecom RAS:  version 4.9.0 or later https://www.etictelecom.com/en/softwares-download/ "}],"source":{"advisory":"ICSA-23-208-01","discovery":"EXTERNAL"},"title":"ETIC Telecom Insecure Default Initialization of Resource","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\n<p>ETIC Telecom recommends enabling the authentication mechanism on the administration interface. This can be done on the page “&gt; Setup &gt; Security &gt; Administration right” by creating an administrator on the “List of administrators” table, enabling the parameter “Password protect the configuration interface,” then setting the parameter “Protocols to use for configuration” to “HTTPs only”.</p><p>NOTE: for firmware versions 4.9.0 or later, enabling the administration protection is mandatory after the first product start.</p>\n\n<br>"}],"value":"\nETIC Telecom recommends enabling the authentication mechanism on the administration interface. This can be done on the page “> Setup > Security > Administration right” by creating an administrator on the “List of administrators” table, enabling the parameter “Password protect the configuration interface,” then setting the parameter “Protocols to use for configuration” to “HTTPs only”.\n\nNOTE: for firmware versions 4.9.0 or later, enabling the administration protection is mandatory after the first product start.\n\n\n\n\n"}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T06:55:03.492Z"},"title":"CVE Program Container","references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-01","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-30T19:09:13.772804Z","id":"CVE-2023-3453","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-30T19:13:47.408Z"}}]}}