Details of VAR-202203-0217

ID

VAR-202203-0217

CVE

CVE-2022-25214

TITLE

plural PHICOMM Fraudulent Authentication Vulnerability in Products

Trust: 0.8

sources: JVNDB: JVNDB-2022-006586

DESCRIPTION

Improper access control on the LocalClientList.asp interface allows an unauthenticated remote attacker to obtain sensitive information concerning devices on the local area network, including IP and MAC addresses. Improper access control on the wirelesssetup.asp interface allows an unauthenticated remote attacker to obtain the WPA passphrases for the 2.4GHz and 5.0GHz wireless networks. This is particularly dangerous given that the K2G setup wizard presents the user with the option of using the same password for the 2.4Ghz network and the administrative interface, by clicking a checkbox. When Remote Managment is enabled, these endpoints are exposed to the WAN. k2 firmware, k3 firmware, k3c firmware etc. PHICOMM The product contains an incorrect authentication vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2022-25214 // JVNDB: JVNDB-2022-006586

AFFECTED PRODUCTS

vendor:	phicomm	model:	k3c	scope:	lte	version:	32.1.15.93	Trust: 1.0
vendor:	phicomm	model:	k2p	scope:	lte	version:	20.4.1.7	Trust: 1.0
vendor:	phicomm	model:	k3	scope:	lte	version:	21.5.37.246	Trust: 1.0
vendor:	phicomm	model:	k2g	scope:	lte	version:	22.6.3.20	Trust: 1.0
vendor:	phicomm	model:	k2	scope:	lte	version:	22.5.9.163	Trust: 1.0
vendor:	phicomm	model:	k3	scope:	-	version:	-	Trust: 0.8
vendor:	phicomm	model:	k2	scope:	-	version:	-	Trust: 0.8
vendor:	phicomm	model:	k3c	scope:	-	version:	-	Trust: 0.8
vendor:	phicomm	model:	k2p	scope:	-	version:	-	Trust: 0.8
vendor:	phicomm	model:	k2g	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-006586 // NVD: CVE-2022-25214

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-25214
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-25214
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202203-807
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2022-25214
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2022-25214
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2022-25214
baseSeverity:	HIGH
baseScore:	7.4
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2022-006586 // CNNVD: CNNVD-202203-807 // NVD: CVE-2022-25214

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	Illegal authentication (CWE-863) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-006586 // NVD: CVE-2022-25214

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-807

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202203-807

PATCH

title:

Phicomm Repair measures for multiple product access control errors and vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186167

Trust: 0.6

sources: CNNVD: CNNVD-202203-807

EXTERNAL IDS

db:	NVD	id:	CVE-2022-25214	Trust: 3.2
db:	TENABLE	id:	TRA-2022-01	Trust: 2.4
db:	JVNDB	id:	JVNDB-2022-006586	Trust: 0.8
db:	CS-HELP	id:	SB2022030909	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-807	Trust: 0.6

sources: JVNDB: JVNDB-2022-006586 // CNNVD: CNNVD-202203-807 // NVD: CVE-2022-25214

REFERENCES

url:	https://www.tenable.com/security/research/tra-2022-01	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2022-25214	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-25214/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022030909	Trust: 0.6

sources: JVNDB: JVNDB-2022-006586 // CNNVD: CNNVD-202203-807 // NVD: CVE-2022-25214

SOURCES

db:	JVNDB	id:	JVNDB-2022-006586
db:	CNNVD	id:	CNNVD-202203-807
db:	NVD	id:	CVE-2022-25214

LAST UPDATE DATE

2024-11-23T21:50:40.667000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2022-006586	date:	2023-07-06T08:11:00
db:	CNNVD	id:	CNNVD-202203-807	date:	2022-03-18T00:00:00
db:	NVD	id:	CVE-2022-25214	date:	2024-11-21T06:51:49.193

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2022-006586	date:	2023-07-06T00:00:00
db:	CNNVD	id:	CNNVD-202203-807	date:	2022-03-09T00:00:00
db:	NVD	id:	CVE-2022-25214	date:	2022-03-10T17:47:01.153