Use of Password Hash With Insufficient Computational Effort in Franklin Electric TS-550

Published: 2023-11-03

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2023-5846
CWE-ID	CWE-916
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	TS-550 Hardware solutions / Routers & switches, VoIP, GSM, etc
Vendor

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Use of Password Hash With Insufficient Computational Effort

EUVDB-ID: #VU82702

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5846

CWE-ID: CWE-916 - Use of Password Hash With Insufficient Computational Effort

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of a weak hash algorithm. A remote attacker can decode admin credentials and gain unauthenticated access to the device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TS-550: before 1.9.23.8960

CPE2.3

External links

http://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.