Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
The vulnerability results from the use of TLS configuration in the devices that does not meet current security standards (CWE-326). This means that the cryptographic algorithms used, key lengths, or connection negotiation parameters are insufficient. A remote attacker, without authentication and without special prerequisites, may potentially conduct an attack on the device communication encryption layer. This results in exposure of confidentiality, integrity, and availability of both the device itself and systems associated with it.
An attacker may gain access to sensitive data transmitted by the device, manipulate communications, or disrupt the operation of the device and connected systems. The maximum CVSS score of 10.0 indicates full impact on confidentiality, integrity, and availability of both the device itself and surrounding systems.
Security patches from the manufacturer should be applied in accordance with references published at https://azure-access.com/security-advisories. It is recommended to immediately update the firmware of BLU-IC2 and BLU-IC4 devices to a version higher than 1.19.5 as soon as it becomes available. Until the patch is deployed, it is recommended to isolate the devices on the network and restrict access to them exclusively to trusted network segments.
Azure-Access BLU-IC2 in all firmware versions up to and including 1.19.5, and Azure-Access BLU-IC4 in all firmware versions up to and including 1.19.5.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAzure Access Blu Ic2
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic2 Firmware
OSAzure-Access< 1.20Azure Access Blu Ic4
HWAzure-Accesswszystkie wersjeAzure Access Blu Ic4 Firmware
OSAzure-Access< 1.20
Related vulnerabilities
Krytyczna podatność Web UI w urządzeniach Azure-Access BLU-IC2/IC4
Podatność DoS (SlowLoris) w Azure-Access BLU-IC2 i BLU-IC4
Współdzielenie statycznych sekretów SDKSocket w urządzeniach Azure-Access BLU-IC2/IC4
Wyłączona weryfikacja certyfikatu serwera e-mail w Azure-Access BLU-IC2/IC4
Systemiczne błędy wewnętrzne serwera (HTTP 500) w Azure-Access BLU-IC2 i BLU-IC4