Vulnerability Details : CVE-2023-4489
The first S0 encryption key is generated with an uninitialized PRNG in Z/IP Gateway products running Silicon Labs Z/IP Gateway SDK v7.18.3 and earlier. This makes the first S0 key generated at startup predictable, potentially allowing network key prediction and unauthorized S0 network access.
Products affected by CVE-2023-4489
- cpe:2.3:a:silabs:z\/ip_gateway_sdk:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-4489
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-4489
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.4
|
MEDIUM | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
0.5
|
5.9
|
Silicon Labs |
CWE ids for CVE-2023-4489
-
The product uses or accesses a resource that has not been initialized.Assigned by:
- nvd@nist.gov (Primary)
- product-security@silabs.com (Secondary)
-
Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.Assigned by: product-security@silabs.com (Secondary)
References for CVE-2023-4489
-
https://github.com/SiliconLabs/gecko_sdk
GitHub - SiliconLabs/gecko_sdk: The Gecko SDK (GSDK) combines all Silicon Labs 32-bit IoT product software development kits (SDKs) based on Gecko Platform into a single, integrated SDK.Third Party Advisory
-
https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000buWj0QAE?operationContext=S1
Silicon Labs - Prod - Sign InPermissions Required
Jump to