SB2024082625 - Multiple vulnerabilities in Swissphone DiCal-RED 4009
Published: August 26, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2024-36440)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to use of password hash with insufficient computational effort. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Missing Authentication for Critical Function (CVE-ID: CVE-2024-36445)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to missing authentication for critical function in the Telnet service. A remote attacker can gain root privileges on the device.
3) Missing Authentication for Critical Function (CVE-ID: CVE-2024-36443)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to missing authentication for critical function. A remote attacker can gain access to sensitive information on the system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red/
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-037.txt
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-035.txt
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-036.txt