CVE-2023-29062 Vulnerability Details

  /     /     /  

CVE-2023-29062 Metadata Quick Info

CVE Published: 28/11/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: BD | Vendor: Becton, Dickinson and Company (BD) | Product: FACSChorus
Status : PUBLISHED

CVE-2023-29062 Description

The Operating System hosting the FACSChorus application is configured to allow transmission of hashed user credentials upon user action without adequately validating the identity of the requested resource. This is possible through the use of LLMNR, MBT-NS, or MDNS and will result in NTLMv2 hashes being sent to a malicious entity position on the local network. These hashes can subsequently be attacked through brute force and cracked if a weak password is used. This attack would only apply to domain joined systems.

Metrics

CVSS Version: 3.1 | Base Score: 3.8 LOW
Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* ADJACENT_NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* NONE
    User Interaction (UI)* REQUIRED
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-287
CWE Name: CWE-287 Improper Authentication
Source: Becton, Dickinson and Company (BD)

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-194
CAPEC Description: CAPEC-194 Fake the Source of Data


Source: NVD (National Vulnerability Database).

Last added CVEs

▸ CVE-2024-9999 ◂
Discovered: 12/11/2024
Status: PUBLISHED
▸ CVE-2024-9997 ◂
Discovered: 29/10/2024
Status: PUBLISHED
▸ CVE-2024-9996 ◂
Discovered: 29/10/2024
Status: PUBLISHED



Tags:
CVE-2023-29062 Vulnerability Details