Lucene search

IcscertCVELIST:CVE-2022-1318

HistoryApr 20, 2022 - 3:30 p.m.

CVE-2022-1318 Hills ComNav Inadequate Encryption Strength

2022-04-2015:30:35

CWE-326

icscert

www.cve.org

hills comnav

weak encryption

communication channel

predictable packets

traffic observation

inadequate strength

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

12.6%

JSON

Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.

CNA Affected

[
  {
    "product": "ComNav",
    "vendor": "Interlogix",
    "versions": [
      {
        "lessThanOrEqual": "3002-19",
        "status": "affected",
        "version": "All",
        "versionType": "custom"
      }
    ]
  }
]

References

www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

12.6%

JSON

Related for CVELIST:CVE-2022-1318