Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection
CVE-2023-4344

9.8CRITICAL

Key Information:

Vendor: Broadcom
Status: Lsi Storage Authority (lsa); Raid Web Console 3 (rwc3)
Vendor: CVE Published:; 15 August 2023

Summary

The web interface of the Broadcom RAID Controller is susceptible to insufficient randomness due to improper implementation of the ssl.rnd function during the establishment of CIM connections. This shortfall can lead to potential security risks, enabling attackers to exploit the weakness and undermine the security of data transactions.

Affected Version(s)

LSI Storage Authority (LSA) 0

RAID Web Console 3 (RWC3) 0 < 7.017.011.000

References

https://www.broadcom.com/support/resources/product-securi...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 15, 2023
Vulnerability Reserved
Aug 14, 2023

Credit

Intel DCG