← Back to home
ICSA-22-307-01  ·  Published 2024-12-03  ·  View on CISA ICS-CERT ↗

ETIC Telecom Remote Access Server (RAS) (Update B)

CVSS 7.6 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information and compromise the vulnerable device and other connected machines.

CVEs (8)

Remediations

  • For the installed devices, ETIC Telecom recommends:
  • CVE-2022-3703: For all firmware versions 4.7.0 and above, there is a code signature verification for firmware packages. To reduce the attack surface in versions prior to 4.7.0, ETIC Telecom advises users to verify: (1) That the downloaded firmware comes from a trusted source (ETIC Telecom web site), and (2) The hash of the firmware files.
  • CVE-2022-41607: This issue has been fixed in version 4.7.0. To reduce the attack surface in versions prior to 4.7.0, ETIC Telecom advises users to verify in the router configuration that: (1) The administration web page is accessible only through the LAN side over HTTPS, and (2) The administration web page is protected with authentication.
  • CVE-2022-40981: For all firmware versions 4.7.0 and above, only valid configuration files can be uploaded to the device. To reduce the attack surface in versions prior to 4.7.0, ETIC Telecom advises users to verify in the router configuration that: (1) The administration web page is accessible only through the LAN side over HTTPS, and (2) The administration web page is protected with authentication.
  • CVE-2024-26156: For all firmware versions 4.5.0 and above, this issue is fixed. To reduce the attack surface in versions prior to 4.5.0, ETIC Telecom advises users to verify in the router configuration that: (1) The administration web page is accessible only through the LAN side over HTTPS, and (2) The administration web page is protected with authentication.
  • CVE-2024-26157: This issue has been fixed in version 4.5.0. Update to firmware version 4.5.0 and above.
  • CVE-2024-26154: For all firmware versions 4.5.0 and above, this issue is fixed. For versions prior to 4.5.0, to reduce the attack surface, ETIC Telecom advise the user to verify in the router configuration that: (1) The administration web page is accessible only through the LAN side over HTTPS, and (2) The administration web page is protected with authentication.
  • CVE-2024-26155: For all firmware versions 4.5.0 and above, this issue is fixed. For versions prior to 4.5.0, to reduce the attack surface, ETIC Telecom advise the user to verify in the router configuration that: (1) The administration web page is accessible only through the LAN side over HTTPS, and (2) The administration web page is protected with authentication.
  • CVE-2024-26153: ETIC Telecom RAS recommends updating the affected devices' firmware to version 4.11.0 or later.

Affected Vendors

ETIC Telecom

Affected Products (2)

ETIC Telecom · ETIC Telecom RAS <4.5.0
ETIC Telecom · ETIC Telecom RAS <4.11.0

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more