CVE-2023-34388 : An Improper Authentication vulnerability in the Schweitzer Engineering Laborato

An Improper Authentication vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow a remote unauthenticated attacker to potentially perform session hijacking attack and bypass authentication. See product Instruction Manual Appendix A dated 20230830 for more details.

Published 2023-11-30 17:15:09

Updated 2023-12-06 00:33:56

Source Schweitzer Engineering Laboratories, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2023-34388

Selinc » Sel-451 Firmware
Versions from including (>=) r324-v0 and before (<) r324-v4
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r315-v0 and before (<) r315-v4
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r318-v0 and before (<) r318-v5
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r322-v0 and before (<) r322-v3
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r321-v0 and before (<) r321-v3
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r325-v0 and before (<) r325-v3
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r320-v0 and before (<) r320-v3
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r323-v0 and before (<) r323-v5
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r317-v0 and before (<) r317-v4
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware
Versions from including (>=) r316-v0 and before (<) r316-v4
cpe:2.3:o:selinc:sel-451_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware » Version: R326-v0
cpe:2.3:o:selinc:sel-451_firmware:r326-v0:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A
Selinc » Sel-451 Firmware » Version: R327-v0
cpe:2.3:o:selinc:sel-451_firmware:r327-v0:*:*:*:*:*:*:*
Matching versions
When used together with: Selinc » Sel-451 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-34388

EPSS FAQ

0.44%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 61 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-34388

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	2.8	3.6	Schweitzer Engineering Laboratories, Inc.
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-34388

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigned by:
- nvd@nist.gov (Primary)
- security@selinc.com (Secondary)

References for CVE-2023-34388

https://www.nozominetworks.com/blog/

OT & IoT Security Blog – Nozomi Networks
Third Party Advisory

CVEs referencing this url
https://selinc.com/support/security-notifications/external-reports/

Security Notifications - Issues Reported by External Organization or Individuals
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-34388

Products affected by CVE-2023-34388

Exploit prediction scoring system (EPSS) score for CVE-2023-34388

CVSS scores for CVE-2023-34388

CWE ids for CVE-2023-34388

References for CVE-2023-34388