### Critical Vulnerability Information #### 1. Vulnerability Overview - **CVE ID**: CVE-2023-2923 - **Severity**: High (enables remote attacks with low complexity) - **Vendor**: Kaleris - **Affected Devices**: Navis N4 - **Vulnerability Types**: - CWE-502: Deserialization of Untrusted Data - CWE-319: Cleartext Transmission of Sensitive Information #### 2. Affected Products - Navis N4 terminal operating system and related components, including: - Navis N4 versions below 8.0 #### 3. Vulnerability Details - **Deserialization of Untrusted Data (CWE-502)**: - Attackers can exploit this vulnerability via specially crafted requests to execute arbitrary code. - CVSS v3.1 Score: 9.8 (Critical) - **Cleartext Transmission of Sensitive Information (CWE-319)**: - Sensitive information is transmitted over unencrypted network communications, potentially leading to data exposure. - CVSS v3.1 Score: 6.5 (Medium) #### 4. Background Information - **Critical Infrastructure Sector**: Transportation Systems - **Deployment Countries**: Global - **Company Headquarters Location**: United States #### 5. Mitigation Measures - Upgrade to the following versions to fix the vulnerabilities: - Navis N4 Version 11.0.0+ - Navis N4 Version 12.0.0+ - Navis N4 Version 13.0.0+ - Navis N4 Version 14.0.0+ - Navis N4 Version 15.0.0+ - Navis N4 Version 16.0.0+ - Navis N4 Version 17.0.0+ - Navis N4 Version 18.0.0+ - If immediate upgrade is not possible, implement temporary mitigations such as restricting network access and using encrypted communications. #### 6. Update History - June 28, 2023: Initial release