CVE-2022-42982

BKG Professional NtripCaster 2.0.39 allows querying information over the UDP protocol without authentication. The NTRIP sourcetable is typically quite long (tens of kBs) and can be requested with a packet of only 30 bytes. This presents a vector that can be used for UDP amplification attacks. Normally, only authenticated streaming data will be provided over UDP and not the sourcetable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
bundbkg_professional_ntripcaster
𝑥
≤ 2.0.39
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cve.mahi.be/bkg_ntrip_udp/
https://igs.bkg.bund.de/ntrip/bkgcaster
https://cve.mahi.be/bkg_ntrip_udp/
https://igs.bkg.bund.de/ntrip/bkgcaster