CVSS: 2.4EPSS: 0%CPEs: 11EXPL: 0CVE-2022-48506
https://notcve.org/view.php?id=CVE-2022-48506
A flawed pseudorandom number generator in Dominion Voting Systems ImageCast Precinct (ICP and ICP2) and ImageCast Evolution (ICE) scanners allows anyone to determine the order in which ballots were cast from public ballot-level data, allowing deanonymization of voted ballots, in several types of scenarios. This issue was observed for use of the following versions of Democracy Suite: 5.2, 5.4-NM, 5.5, 5.5-A, 5.5-B, 5.5-C, 5.5-D, 5.7-A, 5.10, 5.10A, 5.15. NOTE: the Democracy Suite 5.17 EAC Certificate of Conformance mentions "Improved pseudo random number algorithm," which may be relevant. • https://dvsorder.org https://freedom-to-tinker.com/2023/06/14/security-analysis-of-the-dominion-imagecast-x https://www.eac.gov/sites/default/files/voting_system/files/D-Suite%205.17%20Certificate%20and%20Scope%20SIGNED.pdf https://www.eac.gov/voting-equipment/democracy-suite-517 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2022-1745 – 2.2.7 AUTHENTICATION BYPASS BY SPOOFING CWE-290
https://notcve.org/view.php?id=CVE-2022-1745
The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions. El mecanismo de autenticación usado por los técnicos en la versión probada de Dominion Voting Systems ImageCast X es susceptible de ser falsificado. Un atacante con acceso físico puede usar esto para obtener privilegios administrativos en un dispositivo e instalar código malicioso o llevar a cabo acciones administrativas arbitrarias • https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 4.6EPSS: 0%CPEs: 5EXPL: 0CVE-2022-1740 – 2.2.2 MUTABLE ATTESTATION OR MEASUREMENT REPORTING DATA CWE-1283
https://notcve.org/view.php?id=CVE-2022-1740
The tested version of Dominion Voting Systems ImageCast X’s on-screen application hash display feature, audit log export, and application export functionality rely on self-attestation mechanisms. An attacker could leverage this vulnerability to disguise malicious applications on a device. La versión probada de Dominion Voting Systems ImageCast X cuenta con la función de visualización de hash de aplicaciones en pantalla, la exportación de registros de auditoría y la funcionalidad application export, que son basados en mecanismos de auto-certificación. Un atacante podría aprovechar esta vulnerabilidad para disfrazar aplicaciones maliciosas en un dispositivo • https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01 • CWE-1283: Mutable Attestation or Measurement Reporting Data •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2022-1742 – 2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424
https://notcve.org/view.php?id=CVE-2022-1742
The tested version of Dominion Voting Systems ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code. La versión probada de Dominion Voting Systems ImageCast X permite reiniciar en el modo seguro de Android, lo que permite a un atacante acceder directamente al sistema operativo. Un atacante podría aprovechar esta vulnerabilidad para escalar privilegios en un dispositivo y/o instalar código malicioso • https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01 • CWE-424: Improper Protection of Alternate Path •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2022-1743 – 2.2.5 PATH TRAVERSAL: '../FILEDIR' CWE-24
https://notcve.org/view.php?id=CVE-2022-1743
The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS. La versión probada de Dominion Voting System ImageCast X puede ser manipulada para causar la ejecución de código arbitrario mediante archivos de definición electoral especialmente diseñados. Un atacante podría aprovechar esta vulnerabilidad para propagar código malicioso a los dispositivos ImageCast X desde el EMS • https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01 • CWE-24: Path Traversal: '../filedir' •