Vulnerability Description
The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phicomm | K2 Firmware | <= 22.5.9.163 |
| Phicomm | K2 | - |
| Phicomm | K3 Firmware | <= 21.5.37.246 |
| Phicomm | K3 | - |
| Phicomm | K3C Firmware | <= 32.1.15.93 |
| Phicomm | K3C | - |
| Phicomm | K2G Firmware | <= 22.6.3.20 |
| Phicomm | K2G | - |
| Phicomm | K2P Firmware | <= 20.4.1.7 |
| Phicomm | K2P | - |
Related Weaknesses (CWE)
References
- https://www.tenable.com/security/research/tra-2022-01ExploitThird Party Advisory
- https://www.tenable.com/security/research/tra-2022-01ExploitThird Party Advisory
FAQ
What is CVE-2022-25218?
CVE-2022-25218 is a vulnerability with a CVSS score of 8.1 (HIGH). The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over...
How severe is CVE-2022-25218?
CVE-2022-25218 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25218?
Check the references section above for vendor advisories and patch information. Affected products include: Phicomm K2 Firmware, Phicomm K2, Phicomm K3 Firmware, Phicomm K3, Phicomm K3C Firmware.