CVE-2022-42787

Summary

Multiple W&T products of the Comserver Series use a small number space for allocating sessions ids. After login of an user an unathenticated remote attacker can brute force the users session id and get access to his account on the the device. As the user needs to log in for the attack to be successful a user interaction is required.

Affected Software

VendorProductVersion RangeStatus
Wiesemann & TheisCom-Server LC1.0 < 1.48affected
Wiesemann & TheisCom-Server PoE 3 x Isolated1.0 < 1.48affected
Wiesemann & TheisCom-Server 20mA1.0 < 1.48affected
Wiesemann & TheisCom-Server ++1.0 < 1.48affected
Wiesemann & TheisAT-Modem-Emulator1.0 < 1.48affected
Wiesemann & TheisCom-Server UL1.0 < 1.48affected
Wiesemann & TheisCom-Server Highspeed 100BaseFX1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed 100BaseLX1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Office 1 Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Office 4 Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Industry1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed OEM1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Compact1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed Isolated1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed 19" 1Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed 19" 4Port1.0 < 1.76affected
Wiesemann & TheisCom-Server Highspeed PoE1.0 < 1.76affected

Weaknesses

  • CWE-330: CWE-330 Use of Insufficiently Random Values

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References