CVE-2022-0823

Observable Discrepancy (CWE-203)

Published: Jun 9, 2022 / Updated: 29mo ago

010
CVSS 6.2EPSS 0.05%Medium
CVE info copied to clipboard

An improper control of interaction frequency vulnerability in Zyxel GS1200 series switches could allow a local attacker to guess the password by using a timing side-channel attack.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2022-0823. See article

Jun 7, 2022 at 3:27 AM / twitter.com
EPSS

EPSS Score was set to: 0.05% (Percentile: 19.3%)

Sep 28, 2023 at 11:41 PM
Static CVE Timeline Graph

Affected Systems

Zyxel/gs1200-5hp_firmware
+null more

Patches

www.zyxel.com
+null more

Attack Patterns

CAPEC-189: Black Box Reverse Engineering
+null more

References

Cybersecurity Week in Review (9/9/22)
Once deployed on a targeted host, the attack chain downloads and executes the Metasploit’s Mettle meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices. Successful exploitation of the above vulnerabilities could cause a remote denial-of-service (DoS), or enable an attacker with physical access to the device to extract sensitive information or alternatively carry out adversary-in-the-middle attacks.

News

Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
“A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet,” the company said in an advisory released on September 6. Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices.
Cybersecurity Week in Review (9/9/22)
Once deployed on a targeted host, the attack chain downloads and executes the Metasploit’s Mettle meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices. Successful exploitation of the above vulnerabilities could cause a remote denial-of-service (DoS), or enable an attacker with physical access to the device to extract sensitive information or alternatively carry out adversary-in-the-middle attacks.
Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. The post Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released appeared first on .
Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. "A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet," the company said in an advisory released on September 6.
Zyxel NAS Devices Have a Critical RCE Vulnerability; A Firmware Patch Has Been Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices. The post Zyxel NAS Devices Have a Critical RCE Vulnerability; A Firmware Patch Has Been Released appeared first on The Cybersecurity Daily News .
See 13 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI