Cyber Resilience

CVE-2023-28865

MediumPublic PoC

Published: 08 August 2024

Published
08 August 2024
Modified
19 August 2024
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28865 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Dieboldnixdorf Vynamic Security Suite. Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 44.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03, and 4.2.0 SR02 fails to validate the directory contents of certain directories (e.g., ensuring the expected hash sum) during the Pre-Boot Authorization (PBA) process. This can be…

more

exploited by a physical attacker who is able to manipulate the contents of the system's hard disk.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dieboldnixdorf
vynamic security suite
≤ 3.3.0sr15 · 4.0.0 — 4.0.0sr05 · 4.1.0 — 4.1.0sr03

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-345 CWE-353

Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.

addresses: CWE-345 CWE-353

Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.

addresses: CWE-353 CWE-345

Directly supplies the missing integrity verification mechanism the weakness describes.

addresses: CWE-345 CWE-353

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

addresses: CWE-345 CWE-353

The control implements verification mechanisms that detect tampering by ensuring data authenticity.

addresses: CWE-353

Irrefutable evidence of actions requires integrity protection to prevent tampering or alteration of records.

addresses: CWE-353

Implements required signature-based integrity verification, addressing missing support for integrity checks on components.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

References