SB2023012722 - Multiple vulnerabilities in Snap One Wattbox WB-300-IP-3
Published: January 27, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2023-24020)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper restriction of excessive authentication attempts. A remote attacker can multiple attempts to force a login.
2) Heap-based buffer overflow (CVE-ID: CVE-2023-23582)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Unprotected storage of credentials (CVE-ID: CVE-2023-22389)
The vulnerability allows a remote attacker to gain access to other users' credentials.
The vulnerability exists due to application stored credentials in plain text in a configuration file on the system. A remote attacker on the local network can view contents of the configuration file and gain access to passwords for 3rd party integration.
4) Insufficient verification of data authenticity (CVE-ID: CVE-2023-22315)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to the local area network (LAN) protocol does not verify updates to the device. A local attacker can upload a malformed update file to the device and execute arbitrary code.
Remediation
Install update from vendor's website.