admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
cvelist/2024/22xxx/CVE-2024-22388.json
CVE Team 14e59a225b
"-Synchronized-Data."
2024-02-07 00:00:37 +00:00

190 lines
12 KiB
JSON
Raw Blame History

{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2024-22388",
"ASSIGNER": "ics-cert@hq.dhs.gov",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "\nCertain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization",
"cweId": "CWE-285"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "HID Global",
"product": {
"product_data": [
{
"product_name": "iCLASS SE CP1000 Encoder",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "iCLASS SE Readers",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "iCLASS SE Reader Modules",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "iCLASS SE Processors",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "OMNIKEY 5427CK Readers",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "OMNIKEY 5127CK Readers",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "OMNIKEY 5023 Readers",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
},
{
"product_name": "OMNIKEY 5027 Readers",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "All"
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01",
"refsource": "MISC",
"name": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01"
},
{
"url": "https://support.hidglobal.com/",
"refsource": "MISC",
"name": "https://support.hidglobal.com/"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"source": {
"advisory": "ICSA-24-037-01",
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n<p>HID advises users to take the following steps to mitigate these threats.</p><p>Protect your reader configuration cards.</p><ul><li>A malicious encoder or reader must be physically close to the reader configuration cards to communicate with them and extract information. Elite Key and Custom Key users that have kept their configuration cards secure should continue to be vigilant and restrict access to those cards.<br>HID standard key users and other users who are concerned their keys may be compromised should consider steps to update the readers and credentials with new keys. To assist in this effort, HID will be introducing a free upgrade to the Elite Key program. Contact your HID representative for more information.</li></ul><p>Protect your credentials and disable legacy technologies.</p><ul><li>Reading the PACS data from a credential is not enough to clone the credential for modern technologies like Seos and DESFire. These technologies use a credential key for authentication. However, if a system's readers still support legacy technologies (i.e., HID Prox, MiFARE Classic, etc.), then it may be possible to insert the credential information into a legacy technology credential that would be accepted by those readers. Users are encouraged to disable legacy credential technologies in their readers.<br>Further, physical credentials should always be kept safe by their users, and site managers should remind their users to be vigilant with their credentials and report missing or stolen cards.</li></ul><p>Harden your iCLASS SE Readers from configuration changes</p><ul><li>iCLASS SE Readers using firmware firmware version 8.6.04 or higher can use the HID Reader Manager application to prevent the readers from accepting configuration changes from configuration cards. After this is complete, users may then securely destroy their reader configuration cards.<br>If you need assistance, or if the reader firmware has not been updated to 8.6.04 or higher, contact HID Technical Support.</li></ul><p>Harden your HID OMNIKEY Readers, HID iCLASS SE Reader Modules, HID iCLASS SE Processors from configuration changes</p><ul><li>Contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.hidglobal.com/support\">HID</a>&nbsp;to receive a \"Shield Card\" that will prevent further configuration changes using reader configuration cards. After this is complete, users may then securely destroy their reader configuration cards.</li></ul>\n\n<br>"
}
],
"value": "\nHID advises users to take the following steps to mitigate these threats.\n\nProtect your reader configuration cards.\n\n * A malicious encoder or reader must be physically close to the reader configuration cards to communicate with them and extract information. Elite Key and Custom Key users that have kept their configuration cards secure should continue to be vigilant and restrict access to those cards.\nHID standard key users and other users who are concerned their keys may be compromised should consider steps to update the readers and credentials with new keys. To assist in this effort, HID will be introducing a free upgrade to the Elite Key program. Contact your HID representative for more information.\n\n\nProtect your credentials and disable legacy technologies.\n\n * Reading the PACS data from a credential is not enough to clone the credential for modern technologies like Seos and DESFire. These technologies use a credential key for authentication. However, if a system's readers still support legacy technologies (i.e., HID Prox, MiFARE Classic, etc.), then it may be possible to insert the credential information into a legacy technology credential that would be accepted by those readers. Users are encouraged to disable legacy credential technologies in their readers.\nFurther, physical credentials should always be kept safe by their users, and site managers should remind their users to be vigilant with their credentials and report missing or stolen cards.\n\n\nHarden your iCLASS SE Readers from configuration changes\n\n * iCLASS SE Readers using firmware firmware version 8.6.04 or higher can use the HID Reader Manager application to prevent the readers from accepting configuration changes from configuration cards. After this is complete, users may then securely destroy their reader configuration cards.\nIf you need assistance, or if the reader firmware has not been updated to 8.6.04 or higher, contact HID Technical Support.\n\n\nHarden your HID OMNIKEY Readers, HID iCLASS SE Reader Modules, HID iCLASS SE Processors from configuration changes\n\n * Contact HID https://www.hidglobal.com/support \u00a0to receive a \"Shield Card\" that will prevent further configuration changes using reader configuration cards. After this is complete, users may then securely destroy their reader configuration cards.\n\n\n\n\n\n"
}
],
"credits": [
{
"lang": "en",
"value": "HID Global reported this vulnerability to CISA."
}
],
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
]
}
}
Reference in New Issue View Git Blame Copy Permalink