CVE-2024-38270

Sept. 18, 2024, 6:23 p.m.

6.5
Medium

Description

An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.

Product(s) Impacted

Vendor Product Versions
Zyxel
  • Gs1900-48hpv2 Firmware
  • Gs1900-48hpv2
  • Gs1900-48 Firmware
  • Gs1900-48
  • Gs1900-24hpv2 Firmware
  • Gs1900-24hpv2
  • Gs1900-24ep Firmware
  • Gs1900-24ep
  • Gs1900-24e Firmware
  • Gs1900-24e
  • Gs1900-24 Firmware
  • Gs1900-24
  • Gs1900-16 Firmware
  • Gs1900-16
  • Gs1900-10hp Firmware
  • Gs1900-10hp
  • Gs1900-8hp Firmware
  • Gs1900-8hp
  • Gs1900-8 Firmware
  • Gs1900-8
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -
  • *
  • -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-331
Insufficient Entropy
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o zyxel gs1900-48hpv2_firmware / / / / / / / /
h zyxel gs1900-48hpv2 - / / / / / / /
o zyxel gs1900-48_firmware / / / / / / / /
h zyxel gs1900-48 - / / / / / / /
o zyxel gs1900-24hpv2_firmware / / / / / / / /
h zyxel gs1900-24hpv2 - / / / / / / /
o zyxel gs1900-24ep_firmware / / / / / / / /
h zyxel gs1900-24ep - / / / / / / /
o zyxel gs1900-24e_firmware / / / / / / / /
h zyxel gs1900-24e - / / / / / / /
o zyxel gs1900-24_firmware / / / / / / / /
h zyxel gs1900-24 - / / / / / / /
o zyxel gs1900-16_firmware / / / / / / / /
h zyxel gs1900-16 - / / / / / / /
o zyxel gs1900-10hp_firmware / / / / / / / /
h zyxel gs1900-10hp - / / / / / / /
o zyxel gs1900-8hp_firmware / / / / / / / /
h zyxel gs1900-8hp - / / / / / / /
o zyxel gs1900-8_firmware / / / / / / / /
h zyxel gs1900-8 - / / / / / / /

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024

Tags

security@zyxel.com.tw
CWE-331
2024-09-10
CVE-2024-38270

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Sept. 10, 2024, 2:15 a.m.
Last Modified: Sept. 18, 2024, 6:23 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@zyxel.com.tw

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.