CVE-2023-4489
Z/IP Gateway Use of Uninitialized PRNG when Generating S0 Encryption Key
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access.
La primera clave de cifrado S0 se genera con un PRNG no inicializado en productos Z/IP Gateway que ejecutan Silicon Labs Z/IP Gateway SDK v7.18.3 y versiones anteriores. Esto hace que la primera clave S0 generada al inicio sea predecible, lo que potencialmente permite la predicción de claves de red y el acceso no autorizado a la red S0.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-08-23 CVE Reserved
- 2023-12-14 CVE Published
- 2023-12-29 EPSS Updated
- 2024-09-27 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-908: Use of Uninitialized Resource
- CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready
CAPEC
- CAPEC-59: Session Credential Falsification through Prediction
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/SiliconLabs/gecko_sdk | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Silabs Search vendor "Silabs" | Z\/ip Gateway Sdk Search vendor "Silabs" for product "Z\/ip Gateway Sdk" | <= 7.18.03 Search vendor "Silabs" for product "Z\/ip Gateway Sdk" and version " <= 7.18.03" | - |
Affected
| ||||||