Multiple vulnerabilities in Sielco Radio Link and Analog FM Transmitters



Risk High
Patch available NO
Number of vulnerabilities 4
CVE-ID CVE-2023-42769
CVE-2023-45317
CVE-2023-45228
CVE-2023-41966
CWE-ID CWE-284
CWE-352
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Analog FM transmitter EXC5000GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC120GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC300GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC1600GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC2000GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC1000GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC3000GX
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC30GT
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC300GT
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC100GT
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC5000GT
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter EXC1000GT
Hardware solutions / Routers & switches, VoIP, GSM, etc

Analog FM transmitter: EXC120GT
Hardware solutions / Routers & switches, VoIP, GSM, etc

Radio Link RTX19
Hardware solutions / Routers & switches, VoIP, GSM, etc

Radio Link EXC19
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Sielco

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU82526

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-42769

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can perform a brute-force attack to obtain a valid session, bypass authentication and manipulate the transmitter.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Analog FM transmitter EXC5000GX: 2.06 - 2.12

Analog FM transmitter EXC120GX: 2.12

Analog FM transmitter EXC300GX: 2.11

Analog FM transmitter EXC1600GX: 2.08 - 2.10

Analog FM transmitter EXC2000GX: 2.10

Analog FM transmitter EXC1000GX: 2.08

Analog FM transmitter EXC3000GX: 2.07

Analog FM transmitter EXC30GT: 1.7.7

Analog FM transmitter EXC300GT: 1.7.4

Analog FM transmitter EXC100GT: 1.7.4

Analog FM transmitter EXC5000GT: 1.7.4

Analog FM transmitter EXC1000GT: 1.6.3

Analog FM transmitter: EXC120GT: 1.5.4

Radio Link RTX19: 1.59 - 2.06

Radio Link EXC19: 1.55 - 2.00

CPE2.3 External links

http://www.sielco.org/en/contacts
http://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site request forgery

EUVDB-ID: #VU82527

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-45317

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Analog FM transmitter EXC5000GX: 2.06 - 2.12

Analog FM transmitter EXC120GX: 2.12

Analog FM transmitter EXC300GX: 2.11

Analog FM transmitter EXC1600GX: 2.08 - 2.10

Analog FM transmitter EXC2000GX: 2.10

Analog FM transmitter EXC1000GX: 2.08

Analog FM transmitter EXC3000GX: 2.07

Analog FM transmitter EXC30GT: 1.7.7

Analog FM transmitter EXC300GT: 1.7.4

Analog FM transmitter EXC100GT: 1.7.4

Analog FM transmitter EXC5000GT: 1.7.4

Analog FM transmitter EXC1000GT: 1.6.3

Analog FM transmitter: EXC120GT: 1.5.4

Radio Link RTX19: 1.59 - 2.06

Radio Link EXC19: 1.55 - 2.00

CPE2.3 External links

http://www.sielco.org/en/contacts
http://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper access control

EUVDB-ID: #VU82528

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-45228

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions when editing users. A remote user can send a single HTTP POST request with modified parameters and  manipulate users, passwords and permissions.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Analog FM transmitter EXC5000GX: 2.06 - 2.12

Analog FM transmitter EXC120GX: 2.12

Analog FM transmitter EXC300GX: 2.11

Analog FM transmitter EXC1600GX: 2.08 - 2.10

Analog FM transmitter EXC2000GX: 2.10

Analog FM transmitter EXC1000GX: 2.08

Analog FM transmitter EXC3000GX: 2.07

Analog FM transmitter EXC30GT: 1.7.7

Analog FM transmitter EXC300GT: 1.7.4

Analog FM transmitter EXC100GT: 1.7.4

Analog FM transmitter EXC5000GT: 1.7.4

Analog FM transmitter EXC1000GT: 1.6.3

Analog FM transmitter: EXC120GT: 1.5.4

Radio Link RTX19: 1.59 - 2.06

Radio Link EXC19: 1.55 - 2.00

CPE2.3 External links

http://www.sielco.org/en/contacts
http://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU82530

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-41966

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. A remote user can send a HTTP POST to set a parameter and gain elevated privileges.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Analog FM transmitter EXC5000GX: 2.06 - 2.12

Analog FM transmitter EXC120GX: 2.12

Analog FM transmitter EXC300GX: 2.11

Analog FM transmitter EXC1600GX: 2.08 - 2.10

Analog FM transmitter EXC2000GX: 2.10

Analog FM transmitter EXC1000GX: 2.08

Analog FM transmitter EXC3000GX: 2.07

Analog FM transmitter EXC30GT: 1.7.7

Analog FM transmitter EXC300GT: 1.7.4

Analog FM transmitter EXC100GT: 1.7.4

Analog FM transmitter EXC5000GT: 1.7.4

Analog FM transmitter EXC1000GT: 1.6.3

Analog FM transmitter: EXC120GT: 1.5.4

Radio Link RTX19: 1.59 - 2.06

Radio Link EXC19: 1.55 - 2.00

CPE2.3 External links

http://www.sielco.org/en/contacts
http://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###