Vulnerability Details CVE-2022-25218
The use of the RSA algorithm without OAEP, or any other padding scheme, in telnetd_startup, allows an unauthenticated attacker on the local area network to achieve a significant degree of control over the "plaintext" to which an arbitrary blob of ciphertext will be decrypted by OpenSSL's RSA_public_decrypt() function. This weakness allows the attacker to manipulate the various iterations of the telnetd startup state machine and eventually obtain a root shell on the device, by means of an exchange of crafted UDP packets. In all versions but K2 22.5.9.163 and K3C 32.1.15.93 a successful attack also requires the exploitation of a null-byte interaction error (CVE-2022-25219).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.6%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 9.3
References
Products affected by CVE-2022-25218
-
cpe:2.3:h:phicomm:k2:-
-
cpe:2.3:h:phicomm:k2g:-
-
cpe:2.3:h:phicomm:k2p:-
-
cpe:2.3:h:phicomm:k3:-
-
cpe:2.3:h:phicomm:k3c:-
-
cpe:2.3:o:phicomm:k2_firmware:-
-
cpe:2.3:o:phicomm:k2_firmware:22.5.9.163
-
cpe:2.3:o:phicomm:k2g_firmware:-
-
cpe:2.3:o:phicomm:k2g_firmware:22.6.3.20
-
cpe:2.3:o:phicomm:k2p_firmware:-
-
cpe:2.3:o:phicomm:k2p_firmware:20.4.1.7
-
cpe:2.3:o:phicomm:k3_firmware:-
-
cpe:2.3:o:phicomm:k3_firmware:21.5.37.246
-
cpe:2.3:o:phicomm:k3c_firmware:-
-
cpe:2.3:o:phicomm:k3c_firmware:32.1.15.93