CVE-2023-4467

A vulnerability was found in Poly Trio 8800 7.2.6.0019 and classified as critical. Affected by this issue is some unknown functionality of the component Test Automation Mode. The manipulation leads to backdoor. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249260.

CVSS v3 6.2 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.3 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:L/Au:M/C:C/I:C/A:C

Exploitability : 2.5 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html	Not Applicable
https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices
https://modzero.com/en/advisories/mz-23-01-poly-voip/
https://vuldb.com/?ctiid.249260	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.249260	Third Party Advisory VDB Entry
https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html	Not Applicable
https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices
https://modzero.com/en/advisories/mz-23-01-poly-voip/
https://vuldb.com/?ctiid.249260	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.249260	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:poly:trio_8800_firmware:7.2.6.0019:*:*:*:*:*:*:*

cpe:2.3:h:poly:trio_8800:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:35

Type	Values Removed	Values Added
References	~~() https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html - Not Applicable~~	() https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html - Not Applicable
References	~~() https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices -~~	() https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices -
References	~~() https://modzero.com/en/advisories/mz-23-01-poly-voip/ -~~	() https://modzero.com/en/advisories/mz-23-01-poly-voip/ -
References	~~() https://vuldb.com/?ctiid.249260 - Permissions Required, Third Party Advisory, VDB Entry~~	() https://vuldb.com/?ctiid.249260 - Permissions Required, Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?id.249260 - Third Party Advisory, VDB Entry~~	() https://vuldb.com/?id.249260 - Third Party Advisory, VDB Entry
CVSS	v2 : ~~6.5~~ v3 : ~~6.6~~	v2 : 6.5 v3 : 6.2

09 Jan 2024, 17:15

Type	Values Removed	Values Added
References	~~{'url': 'https://modzero.com/en/advisories/mz-23-01-poly-voip-devices/', 'tags': ['Broken Link'], 'source': 'cna@vuldb.com'}~~	() https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices - () https://modzero.com/en/advisories/mz-23-01-poly-voip/ -

05 Jan 2024, 17:34

Type	Values Removed	Values Added
CPE		cpe:2.3:o:poly:trio_8800_firmware:7.2.6.0019:::::::* cpe:2.3:h:poly:trio_8800:-:::::::*
CVSS	v2 : ~~6.5~~ v3 : ~~6.2~~	v2 : 6.5 v3 : 6.6
First Time		Poly Poly trio 8800 Firmware Poly trio 8800
References	~~() https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html -~~	() https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html - Not Applicable
References	~~() https://modzero.com/en/advisories/mz-23-01-poly-voip-devices/ -~~	() https://modzero.com/en/advisories/mz-23-01-poly-voip-devices/ - Broken Link
References	~~() https://vuldb.com/?ctiid.249260 -~~	() https://vuldb.com/?ctiid.249260 - Permissions Required, Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?id.249260 -~~	() https://vuldb.com/?id.249260 - Third Party Advisory, VDB Entry

29 Dec 2023, 13:56

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad fue encontrada en Poly Trio 8800 7.2.6.0019 y clasificada como crítica. Una función desconocida del componente Test Automation Mode es afectada por este problema. La manipulación conduce a una puerta trasera. Es posible lanzar el ataque al dispositivo físico. La explotación ha sido divulgada al público y puede utilizarse. El identificador de esta vulnerabilidad es VDB-249260.

29 Dec 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-29 10:15

Updated : 2024-11-21 08:35

NVD link : CVE-2023-4467

Mitre link : CVE-2023-4467

CVE.ORG link : CVE-2023-4467

JSON object : View

Products Affected

poly

trio_8800_firmware
trio_8800

CWE

CWE-912

Hidden Functionality

{"id": "CVE-2023-4467", "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:M/C:C/I:C/A:C", "authentication": "MULTIPLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 2.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}]}, "published": "2023-12-29T10:15:12.783", "references": [{"url": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html", "tags": ["Not Applicable"], "source": "cna@vuldb.com"}, {"url": "https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices", "source": "cna@vuldb.com"}, {"url": "https://modzero.com/en/advisories/mz-23-01-poly-voip/", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.249260", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.249260", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://fahrplan.events.ccc.de/congress/2023/fahrplan/events/11919.html", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/modzero/MZ-23-01-Poly-VoIP-Devices", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://modzero.com/en/advisories/mz-23-01-poly-voip/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://vuldb.com/?ctiid.249260", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://vuldb.com/?id.249260", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-912"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Poly Trio 8800 7.2.6.0019 and classified as critical. Affected by this issue is some unknown functionality of the component Test Automation Mode. The manipulation leads to backdoor. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249260."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Poly Trio 8800 7.2.6.0019 y clasificada como cr\u00edtica. Una funci\u00f3n desconocida del componente Test Automation Mode es afectada por este problema. La manipulaci\u00f3n conduce a una puerta trasera. Es posible lanzar el ataque al dispositivo f\u00edsico. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-249260."}], "lastModified": "2024-11-21T08:35:13.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:poly:trio_8800_firmware:7.2.6.0019:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "188F0197-4723-4E12-B2D7-A94CC6204261"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:poly:trio_8800:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "39862A32-5AF6-41F9-9C25-9D68EB3784DC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cna@vuldb.com"}

6.2 /10