CVE-2024-29149

2024-05-0717:15:07

[email protected]

web.nvd.nist.gov

alcatel-lucent

deskphones

firmware

update

vulnerability

authenticated attacker

malicious firmware

time-of-check

time-of-use

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

8.6%

JSON

An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of a time-of-check time-of-use vulnerability, an authenticated attacker is able to replace the verified firmware image with malicious firmware during the update process.

References

www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf

www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-010.txt