CVE-2023-42419

Summary

Maintenance Server, in Cybellum's QCOW air-gapped distribution (China Edition), versions 2.15.5 through 2.27, was compiled with a hard-coded private cryptographic key.

An attacker with administrative privileges & access to the air-gapped server could potentially use this key to run commands on the server. The issue was resolved in version 2.28. Earlier versions, including all Cybellum 1.x versions, and distributions for the rest of the world remain unaffected.

Affected Software

VendorProductVersion RangeStatus
CybellumMaintenance Server2.15.5 <= 2.27affected
CybellumMaintenance Server1.*unaffected
CybellumMaintenance Server2.0 <= 2.19unaffected
CybellumMaintenance Server2.28 <= or aboveunaffected

Weaknesses

  • cwe-321 Use of Hard-coded Cryptographic Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References