Home

Description

Maintenance Server, in Cybellum's QCOW air-gapped distribution (China Edition), versions 2.15.5 through 2.27, was compiled with a hard-coded private cryptographic key. An attacker with administrative privileges & access to the air-gapped server could potentially use this key to run commands on the server. The issue was resolved in version 2.28. Earlier versions, including all Cybellum 1.x versions, and distributions for the rest of the world remain unaffected.

PUBLISHED Reserved 2023-09-08 | Published 2024-03-05 | Updated 2024-08-02 | Assigner Cybellum




LOW: 3.8CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

The vulnerability exploitation is limited by the need for administrative access & connection to internal air-gapped networks, reducing its potential impact

Problem types

cwe-321 Use of Hard-coded Cryptographic Key

Product status

Default status
unaffected

2.15.5 (custom)
affected

1.*
unaffected

2.0 (custom)
unaffected

2.28 (custom)
unaffected

Credits

Delikely finder

References

cybellum.com/

cybellum.com/

cve.org (CVE-2023-42419)

nvd.nist.gov (CVE-2023-42419)

Download JSON