CVE-2023-6324 : ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encou

ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session when encountering an unexpected PSK identity

Published 2024-05-15 12:09:30

Updated 2025-02-11 21:32:50

Source Bitdefender

View at NVD, CVE.org

Products affected by CVE-2023-6324

Roku » Indoor Camera Se Firmware » Version: 3.0.2.4679
cpe:2.3:o:roku:indoor_camera_se_firmware:3.0.2.4679:*:*:*:*:*:*:*
Matching versions
When used together with: Roku » Indoor Camera Se » Version: N/A
Throughtek » Kalay P2p Software Development Kit
Versions from including (>=) 3.2.0.0 and up to, including, (<=) 3.3.6.1
cpe:2.3:a:throughtek:kalay_p2p_software_development_kit:*:*:*:*:*:*:*:*
Matching versions
Throughtek » Kalay P2p Software Development Kit
Versions from including (>=) 4.0.0.0 and up to, including, (<=) 4.3.3.1
cpe:2.3:a:throughtek:kalay_p2p_software_development_kit:*:*:*:*:*:*:*:*
Matching versions
Throughtek » Kalay P2p Software Development Kit
Versions from including (>=) 3.4.0.0 and up to, including, (<=) 3.4.7.3
cpe:2.3:a:throughtek:kalay_p2p_software_development_kit:*:*:*:*:*:*:*:*
Matching versions
Throughtek » Kalay P2p Software Development Kit
Versions from including (>=) 3.1.10.0 and up to, including, (<=) 3.1.10.16
cpe:2.3:a:throughtek:kalay_p2p_software_development_kit:*:*:*:*:*:*:*:*
Matching versions
Throughtek » Kalay Platform » Version: N/A
cpe:2.3:a:throughtek:kalay_platform:-:*:*:*:*:*:*:*
Matching versions
Wyze » Cam V3 Firmware » Version: 4.36.11.5859
cpe:2.3:o:wyze:cam_v3_firmware:4.36.11.5859:*:*:*:*:*:*:*
Matching versions
When used together with: Wyze » Cam V3 » Version: N/A
Owletcare » Cam Firmware
Versions before (<) 4.2.11
cpe:2.3:o:owletcare:cam_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Owletcare » CAM » Version: N/A
Owletcare » Cam 2 Firmware
Versions before (<) 4.2.10
cpe:2.3:o:owletcare:cam_2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Owletcare » Cam 2 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-6324

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-6324

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	N/A	N/A	Bitdefender	2024-05-15
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	2.8	5.2	Bitdefender	2024-05-15
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST	2025-02-11
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-6324

CWE-457 Use of Uninitialized Variable

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
Assigned by:
- b3d5ebe7-963e-41fb-98e1-2edaeabb8f82 (Primary)
- cve-requests@bitdefender.com (Secondary)
CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-6324

https://bitdefender.com/blog/labs/notes-on-throughtek-kalay-vulnerabilities-and-their-impact/

Notes on ThroughTek Kalay Vulnerabilities and Their Impact on the IoT Ecosystem
Exploit;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-6324

Products affected by CVE-2023-6324

Exploit prediction scoring system (EPSS) score for CVE-2023-6324

CVSS scores for CVE-2023-6324

CWE ids for CVE-2023-6324

References for CVE-2023-6324