CVE-2023-36609: Detailed Vulnerability Analysis and Overview

CVE-2023-36609 Vulnerability Summary

The affected TBox RTUs run OpenVPN with root privileges and can run user defined configuration scripts. An attacker could set up a local OpenVPN server and push a malicious script onto the TBox host to acquire root privileges.

Need help fixing CVEs? Check out our Step-by-Step Guide on How to Fix CVEs.

CVE-2023-36609: Detailed Information and External References

EPSS

0.00064

EPSS %

0.29884

References

0.00064

• https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03

CWE

CWE-829

CAPEC

0.00064

• Code Inclusion: An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
• Serialized Data External Linking: An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.
• DTD Injection: An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.
• Local Code Inclusion: The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
• PHP Local File Inclusion: The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
• Remote Code Inclusion: The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.
• Force Use of Corrupted Files: This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.
• Open-Source Library Manipulation: Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
• Local Execution of Code: An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
• Inclusion of Code in Existing Process: The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.
• Root/Jailbreak Detection Evasion via Hooking: An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.
• Repo Jacking: An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.
• Install Malicious Extension: An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

Vulnerable Configurations

• cpe:2.3:o:ovarro:tbox_ms-cpu32_firmware:-:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_ms-cpu32_firmware:-:*:*:*:*:*:*:*
• cpe:2.3:h:ovarro:tbox_ms-cpu32:-:*:*:*:*:*:*:*
  cpe:2.3:h:ovarro:tbox_ms-cpu32:-:*:*:*:*:*:*:*
• cpe:2.3:o:ovarro:tbox_ms-cpu32-s2_firmware:-:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_ms-cpu32-s2_firmware:-:*:*:*:*:*:*:*
• cpe:2.3:h:ovarro:tbox_ms-cpu32-s2:-:*:*:*:*:*:*:*
  cpe:2.3:h:ovarro:tbox_ms-cpu32-s2:-:*:*:*:*:*:*:*
• cpe:2.3:o:ovarro:tbox_lt2_firmware:-:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_lt2_firmware:-:*:*:*:*:*:*:*
• cpe:2.3:o:ovarro:tbox_lt2_firmware:1.46:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_lt2_firmware:1.46:*:*:*:*:*:*:*
• cpe:2.3:o:ovarro:tbox_lt2_firmware:1.50.598:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_lt2_firmware:1.50.598:*:*:*:*:*:*:*
• cpe:2.3:h:ovarro:tbox_lt2:-:*:*:*:*:*:*:*
  cpe:2.3:h:ovarro:tbox_lt2:-:*:*:*:*:*:*:*
• cpe:2.3:o:ovarro:tbox_tg2_firmware:-:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_tg2_firmware:-:*:*:*:*:*:*:*
• cpe:2.3:h:ovarro:tbox_tg2:-:*:*:*:*:*:*:*
  cpe:2.3:h:ovarro:tbox_tg2:-:*:*:*:*:*:*:*
• cpe:2.3:o:ovarro:tbox_rm2_firmware:-:*:*:*:*:*:*:*
  cpe:2.3:o:ovarro:tbox_rm2_firmware:-:*:*:*:*:*:*:*
• cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:*
  cpe:2.3:h:ovarro:tbox_rm2:-:*:*:*:*:*:*:*

CVSS3 Source

ics-cert@hq.dhs.gov

CVSS3 Type

Secondary

CVSS3 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H