Lucene search

ASRGCVELIST:CVE-2024-23924

HistorySep 28, 2024 - 6:18 a.m.

CVE-2024-23924 Alpine Halo9 UPDM_wemCmdCreatSHA256Hash Command Injection Remote Code Execution Vulnerability

2024-09-2806:18:57

CWE-78

ASRG

www.cve.org

alpine

updm_wemcmdcreatsha256hash

command injection

remote code execution

vulnerability

authentication

system call

root

zdi-can-23105

cve-2024-23924

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

Alpine Halo9 UPDM_wemCmdCreatSHA256Hash Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the UPDM_wemCmdCreatSHA256Hash function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.

Was ZDI-CAN-23105

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Halo9",
    "vendor": "Alpine",
    "versions": [
      {
        "status": "affected",
        "version": "6.0.000"
      }
    ]
  }
]

References

www.zerodayinitiative.com/advisories/ZDI-24-846/

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

JSON

Related for CVELIST:CVE-2024-23924