Download of code without integrity check in Hardware solutions

#VU61821 Download of code without integrity check in Hardware solutions

Published: 2022-04-04

Vulnerability identifier: #VU61821

Vulnerability risk: Low

CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24117

CWE-ID: CWE-494

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iNET
Hardware solutions / Firmware
iNET II
Hardware solutions / Firmware
SD series radio firmware
Hardware solutions / Firmware
TD220X
Hardware solutions / Firmware
TD220MAX
Hardware solutions / Firmware

Vendor:

Description

The vulnerability allows a remote user to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote administrator gain full control over the affected system after a successful software update.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://ics-cert.us-cert.gov/advisories/icsa-22-090-06

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in General Electric Renewable Energy MDS Radios