SB2022040406 - Multiple vulnerabilities in General Electric Renewable Energy MDS Radios

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022040406

SB2022040406 - Multiple vulnerabilities in General Electric Renewable Energy MDS Radios

Published: April 4, 2022

Security Bulletin ID SB2022040406
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 40% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Hidden functionality (CVE-ID: CVE-2022-24119)

The vulnerability allows a remote attacker to compromise vulnerable system

The vulnerability exists due to hidden functionality (backdoor) is present in software. A remote attacker can use this functionality to gain full access to the application and compromise the affected system.


2) Inadequate Encryption Strength (CVE-ID: CVE-2022-24116)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to inadequate encryption strength in the wireless security software and chipset implementations. A remote attacker on the local network can gain access to the system.


3) Resource exhaustion (CVE-ID: CVE-2022-24118)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker on the local network can use the authentication code to cause affected series radios to reset back to the factory default configuration and reboot.


4) Unprotected storage of credentials (CVE-ID: CVE-2022-24120)

The vulnerability allows a local attacker to gain access to other users' credentials.

The vulnerability exists due to application stored credentials in plain text in a configuration file on the system. An attacker with physical access can view contents of the configuration file and gain access to passwords for 3rd party integration.


5) Download of code without integrity check (CVE-ID: CVE-2022-24117)

The vulnerability allows a remote user to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote administrator gain full control over the affected system after a successful software update.


Remediation

Install update from vendor's website.

References