SB2022062923 - Multiple vulnerabilities in Motorola Solutions ACE1000

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022062923

SB2022062923 - Multiple vulnerabilities in Motorola Solutions ACE1000

Published: June 29, 2022

Security Bulletin ID SB2022062923
Severity
High
Patch available
NO
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 40% Medium 20% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2022-30271)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected product ships with a hardcoded SSH private key and initialization script only generate a new key if no such file yet exists. A remote attacker can execute arbitrary code on the target system.


2) Use of hard-coded credentials (CVE-ID: CVE-2022-30270)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2022-30274)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the credentials for XRT Lan-to-radio gateway are stored after being encrypted with the tiny encryption algorithm (TEA) in ECB mode using a hardcoded key. A remote attacker can manipulate the device configuration.


4) Insufficient verification of data authenticity (CVE-ID: CVE-2022-30269)

The vulnerability allows a remote user to compromsie the target system.

The vulnerability exists due to the affected product allows for custom application installation via STS software, the C toolkit, or the ACE1000 Easy Configurator. A remote administrator can execute arbitrary code on the target system.


5) Insufficient verification of data authenticity (CVE-ID: CVE-2022-30272)

The vulnerability allows a remote user to compromsie the target system.

The vulnerability exists due to the affected product allows for custom application installation via STS software, the C toolkit, or the ACE1000 Easy Configurator. A remote administrator can execute arbitrary code on the target system.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References