CVE-2022-26943

The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://tetraburst.com/	Technical Description

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*

History

27 Oct 2023, 21:54

Type	Values Removed	Values Added
References	~~(MISC) https://tetraburst.com/ -~~	(MISC) https://tetraburst.com/ - Technical Description
CWE		CWE-338
First Time		Motorola mtm5400 Motorola mtm5500 Motorola mtm5400 Firmware Motorola Motorola mtm5500 Firmware
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:o:motorola:mtm5400_firmware:-:::::::* cpe:2.3:o:motorola:mtm5500_firmware:-:::::::* cpe:2.3:h:motorola:mtm5500:-:::::::* cpe:2.3:h:motorola:mtm5400:-:::::::*

19 Oct 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-19 10:15

Updated : 2023-12-10 15:14

NVD link : CVE-2022-26943

Mitre link : CVE-2022-26943

CVE.ORG link : CVE-2022-26943

JSON object : View

Products Affected

motorola

mtm5500
mtm5400_firmware
mtm5400
mtm5500_firmware

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"id": "CVE-2022-26943", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cert@ncsc.nl", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-10-19T10:15:09.963", "references": [{"url": "https://tetraburst.com/", "tags": ["Technical Description"], "source": "cert@ncsc.nl"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-338"}]}, {"type": "Secondary", "source": "cert@ncsc.nl", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."}, {"lang": "es", "value": "Los firmwares de la serie Motorola MTM5000 generan desaf\u00edos de autenticaci\u00f3n TETRA utilizando un PRNG que utiliza un registro de conteo de ticks como \u00fanica fuente de entrop\u00eda. La baja entrop\u00eda del tiempo de arranque y la resiembra limitada del grupo hacen que el desaf\u00edo de autenticaci\u00f3n sea vulnerable a dos ataques. En primer lugar, debido a la entrop\u00eda limitada del grupo de tiempo de arranque, un adversario puede derivar el contenido del grupo de entrop\u00eda mediante una b\u00fasqueda exhaustiva de valores posibles, bas\u00e1ndose en un desaf\u00edo de autenticaci\u00f3n observado. En segundo lugar, un adversario puede utilizar el conocimiento del conjunto de entrop\u00eda para predecir los desaf\u00edos de autenticaci\u00f3n. Como tal, la unidad es vulnerable a CVE-2022-24400."}], "lastModified": "2023-11-07T03:45:15.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cert@ncsc.nl"}