CVE-2023-35830 - Vulnerability Details - OpenCVE

ReportizFlow

STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module DeploymentPackage_v3.03r0-Impala and DeploymentPackage_v3.04r2-Jellyfish and TCG-4lite Connectivity Module DeploymentPackage_v3.04r2-Jellyfish allow an attacker to gain full remote access with root privileges without the need for authentication, giving an attacker arbitrary remote code execution over LTE / 4G network via SMS.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Stw-mobile-machines	Tcg-4 Tcg-4 Firmware Tcg-4lite Tcg-4lite Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.01r1:::::::*
	cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.02r0:::::::*
	cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.03r0:::::::*
	cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.04r2:::::::*

cpe:2.3:h:stw-mobile-machines:tcg-4:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:stw-mobile-machines:tcg-4lite_firmware:3.04r2:*:*:*:*:*:*:*

cpe:2.3:h:stw-mobile-machines:tcg-4lite:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf
https://www.stw-mobile-machines.com/psirt/

History

Wed, 27 Nov 2024 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-06-29T00:00:00

Updated: 2024-11-27T16:27:11.392Z

Reserved: 2023-06-18T00:00:00

Link: CVE-2023-35830

Vulnrichment

Updated: 2024-08-02T16:30:45.384Z

NVD

Status : Modified

Published: 2023-06-29T16:15:09.897

Modified: 2024-11-27T17:15:08.783

Link: CVE-2023-35830

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-35830", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-27T16:27:11.392Z", "dateReserved": "2023-06-18T00:00:00", "datePublished": "2023-06-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-29T00:00:00"}, "descriptions": [{"lang": "en", "value": "STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module DeploymentPackage_v3.03r0-Impala and DeploymentPackage_v3.04r2-Jellyfish and TCG-4lite Connectivity Module DeploymentPackage_v3.04r2-Jellyfish allow an attacker to gain full remote access with root privileges without the need for authentication, giving an attacker arbitrary remote code execution over LTE / 4G network via SMS."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf"}, {"url": "https://www.stw-mobile-machines.com/psirt/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:30:45.384Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf", "tags": ["x_transferred"]}, {"url": "https://www.stw-mobile-machines.com/psirt/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "affected": [{"vendor": "stw-mobile-machines", "product": "tcg-4", "cpes": ["cpe:2.3:h:stw-mobile-machines:tcg-4:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "v3.03r0-Impala", "status": "affected"}, {"version": "v3.04r2-Jellyfish", "status": "affected"}]}, {"vendor": "stw-mobile-machines", "product": "tcg-4lite", "cpes": ["cpe:2.3:h:stw-mobile-machines:tcg-4lite:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "v3.04r2-Jellyfish", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-27T16:25:11.896469Z", "id": "CVE-2023-35830", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T16:27:11.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf", "tags": ["x_transferred"]}, {"url": "https://www.stw-mobile-machines.com/psirt/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:30:45.384Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35830", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-27T16:25:11.896469Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:stw-mobile-machines:tcg-4:-:*:*:*:*:*:*:*"], "vendor": "stw-mobile-machines", "product": "tcg-4", "versions": [{"status": "affected", "version": "v3.03r0-Impala"}, {"status": "affected", "version": "v3.04r2-Jellyfish"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:h:stw-mobile-machines:tcg-4lite:-:*:*:*:*:*:*:*"], "vendor": "stw-mobile-machines", "product": "tcg-4lite", "versions": [{"status": "affected", "version": "v3.04r2-Jellyfish"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T16:25:40.476Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf"}, {"url": "https://www.stw-mobile-machines.com/psirt/"}], "descriptions": [{"lang": "en", "value": "STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module DeploymentPackage_v3.03r0-Impala and DeploymentPackage_v3.04r2-Jellyfish and TCG-4lite Connectivity Module DeploymentPackage_v3.04r2-Jellyfish allow an attacker to gain full remote access with root privileges without the need for authentication, giving an attacker arbitrary remote code execution over LTE / 4G network via SMS."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-29T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2023-35830", "state": "PUBLISHED", "dateUpdated": "2024-11-27T16:27:11.392Z", "dateReserved": "2023-06-18T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-06-29T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.01r1:*:*:*:*:*:*:*", "matchCriteriaId": "9AFBF793-6B08-4D93-A6C3-310217A53423", "vulnerable": true}, {"criteria": "cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.02r0:*:*:*:*:*:*:*", "matchCriteriaId": "516BE3EC-957D-4227-A7E9-FD27878C248E", "vulnerable": true}, {"criteria": "cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.03r0:*:*:*:*:*:*:*", "matchCriteriaId": "3B7C2981-3322-4141-8EE3-53C544DAB147", "vulnerable": true}, {"criteria": "cpe:2.3:o:stw-mobile-machines:tcg-4_firmware:3.04r2:*:*:*:*:*:*:*", "matchCriteriaId": "EDD8DEB6-12B8-4333-B5AE-0DC56B438335", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:stw-mobile-machines:tcg-4:-:*:*:*:*:*:*:*", "matchCriteriaId": "C423C3BB-8E62-4DF8-91E7-FCE8D946C4BB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:stw-mobile-machines:tcg-4lite_firmware:3.04r2:*:*:*:*:*:*:*", "matchCriteriaId": "4A240F0A-9C36-4E51-B65B-A2307AC56761", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:stw-mobile-machines:tcg-4lite:-:*:*:*:*:*:*:*", "matchCriteriaId": "431ACC05-E1AB-4D7E-A838-D797589BAF8B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module DeploymentPackage_v3.03r0-Impala and DeploymentPackage_v3.04r2-Jellyfish and TCG-4lite Connectivity Module DeploymentPackage_v3.04r2-Jellyfish allow an attacker to gain full remote access with root privileges without the need for authentication, giving an attacker arbitrary remote code execution over LTE / 4G network via SMS."}], "id": "CVE-2023-35830", "lastModified": "2024-11-27T17:15:08.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-06-29T16:15:09.897", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://www.stw-mobile-machines.com/psirt/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.stw-mobile-machines.com/fileadmin/user_upload/content/STW/PSIRT/STW-IR-23-001.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.stw-mobile-machines.com/psirt/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}