CVE-2023-40462

The ACEManager component of ALEOS 4.16 and earlier does not perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2023/12/msg00024.html	Mailing List Third Party Advisory
https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:sierrawireless:es450:-:::::::*
	cpe:2.3:h:sierrawireless:gx450:-:::::::*
	cpe:2.3:h:sierrawireless:lx40:-:::::::*
	cpe:2.3:h:sierrawireless:lx60:-:::::::*
	cpe:2.3:h:sierrawireless:mp70:-:::::::*
	cpe:2.3:h:sierrawireless:rv50x:-:::::::*
	cpe:2.3:h:sierrawireless:rv55:-:::::::*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

02 Feb 2024, 03:12

Type	Values Removed	Values Added
References	~~() https://lists.debian.org/debian-lts-announce/2023/12/msg00024.html -~~	() https://lists.debian.org/debian-lts-announce/2023/12/msg00024.html - Mailing List, Third Party Advisory
First Time		Debian Debian debian Linux
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::*

Information

Published : 2023-12-04 23:15

Updated : 2024-02-02 03:12

NVD link : CVE-2023-40462

Mitre link : CVE-2023-40462

CVE.ORG link : CVE-2023-40462

JSON object : View

Products Affected

sierrawireless

mp70
lx60
aleos
rv50x
lx40
rv55
es450
gx450

debian

debian_linux

CWE

CWE-617

Reachable Assertion

{"id": "CVE-2023-40462", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security@sierrawireless.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-12-04T23:15:25.603", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00024.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@sierrawireless.com"}, {"url": "https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006/#sthash.6KUVtE6w.dpbs", "tags": ["Vendor Advisory"], "source": "security@sierrawireless.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-617"}]}, {"type": "Secondary", "source": "security@sierrawireless.com", "description": [{"lang": "en", "value": "CWE-617"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\n\nThe ACEManager\ncomponent of ALEOS 4.16 and earlier does not\n\n\n\nperform input\nsanitization during authentication, which could\n\n\n\npotentially result\nin a Denial of Service (DoS) condition for\n\n\n\nACEManager without\nimpairing other router functions. ACEManager\n\n\n\nrecovers from the\nDoS condition by restarting within ten seconds of\n\n\n\nbecoming\nunavailable.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "El componente ACEManager de ALEOS 4.16 y versiones anteriores no realiza sanitizaci\u00f3n de entrada durante la autenticaci\u00f3n, lo que podr\u00eda resultar en una condici\u00f3n de denegaci\u00f3n de servicio (DoS) para ACEManager sin afectar otras funciones del router. ACEManager se recupera de la condici\u00f3n DoS reinici\u00e1ndose dentro de los diez segundos posteriores a que no est\u00e9 disponible."}], "lastModified": "2024-02-02T03:12:25.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45265DDA-E10F-49D0-B2C6-FC123C42E5AE", "versionEndIncluding": "4.16.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:sierrawireless:es450:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "524DF1AE-21F2-4AA6-99E7-6F98304FF845"}, {"criteria": "cpe:2.3:h:sierrawireless:gx450:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2C12CF71-FE0E-44EA-9F2E-7CFB42E7C216"}, {"criteria": "cpe:2.3:h:sierrawireless:lx40:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "069DD303-C100-4FAF-BD6B-4EE61CBDE9F7"}, {"criteria": "cpe:2.3:h:sierrawireless:lx60:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2A3B7B3D-1594-434B-8E22-01C67DF54F16"}, {"criteria": "cpe:2.3:h:sierrawireless:mp70:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "007D4629-4BE2-4C7A-AC8B-E87739E22D12"}, {"criteria": "cpe:2.3:h:sierrawireless:rv50x:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "61D3EF27-E823-4E49-BD58-D050EB02D294"}, {"criteria": "cpe:2.3:h:sierrawireless:rv55:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "215BD4AB-8EFD-4F82-ABE4-E7F81AD528C2"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "security@sierrawireless.com"}