CVE-2023-36610

Summary

​The affected TBox RTUs generate software security tokens using insufficient entropy. The random seed used to generate the software tokens is not initialized correctly, and other parts of the token are generated using predictable time-based values. An attacker with this knowledge could successfully brute force the token and authenticate themselves.

Affected Software

VendorProductVersion RangeStatus
OvarroTBox MS-CPU320 <= 1.50.598affected
Ovarro​TBox MS-CPU32-S20 <= 1.50.598affected
OvarroTBox LT20 <= 1.50.598affected
OvarroTBox TG20 <= 1.50.598affected
OvarroTBox RM20 <= 1.50.598affected

Weaknesses

  • CWE-331: CWE-331 Insufficient Entropy

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References