PT-2023-2790 · Inhand Networks · Inrouter 615+1
Otorio
+1
·
Published
2023-01-12
·
Updated
2023-05-16
·
CVE-2023-22601
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
InHand Networks InRouter 302 versions prior to IR302 V3.5.56
InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542
Description
The issue is related to the use of insufficiently random values, specifically with the MQTT ClientID parameters, which are not properly randomized. This could allow an unauthorized user to calculate the parameter and gather additional information about other InHand devices managed on the same cloud platform.
Recommendations
For InHand Networks InRouter 302 versions prior to IR302 V3.5.56, update to version IR302 V3.5.56 or later to resolve the issue.
For InHand Networks InRouter 615 versions prior to InRouter6XX-S-V2.3.0.r5542, update to version InRouter6XX-S-V2.3.0.r5542 or later to resolve the issue.
As a temporary workaround, consider restricting access to the MQTT ClientID parameter to minimize the risk of exploitation.
Fix
Use of Insufficiently Random Values
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Inrouter302
Inrouter 615