CVE-2024-4640 - OpenCVE

OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to missing bounds checking on buffer operations. An attacker could write past the boundaries of allocated buffer regions in memory, causing a program crash.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Moxa

Published: 2024-06-25T09:19:08.712Z

Updated: 2024-06-25T13:15:08.856Z

Reserved: 2024-05-08T00:44:43.828Z

Link: CVE-2024-4640

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-06-25T10:15:20.780

Modified: 2024-06-25T12:24:17.873

Link: CVE-2024-4640

JSON object: View

Redhat Information

No data.

CWE

CWE-120

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4640", "assignerOrgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa", "state": "PUBLISHED", "assignerShortName": "Moxa", "dateReserved": "2024-05-08T00:44:43.828Z", "datePublished": "2024-06-25T09:19:08.712Z", "dateUpdated": "2024-06-25T13:15:08.856Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OnCell G3150A-LTE Series", "vendor": "Moxa", "versions": [{"lessThanOrEqual": "1.7.7", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nikita Abramov from Positive Technologies"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to missing bounds checking on buffer operations. An attacker could write past the boundaries of allocated buffer regions in memory, causing a program crash."}], "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to missing bounds checking on buffer operations. An attacker could write past the boundaries of allocated buffer regions in memory, causing a program crash."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100: Overflow Buffers"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa", "shortName": "Moxa", "dateUpdated": "2024-06-25T09:19:08.712Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.</p><p></p><ul><li>OnCell G3470A-LTE Series: Please contact Moxa Technical Support for the <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.moxa.com/tw/support/technical-support\">security patch (v1.7.8).</a></li></ul><p></p>"}], "value": "Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.\n\n\n\n * OnCell G3470A-LTE Series: Please contact Moxa Technical Support for the security patch (v1.7.8). https://www.moxa.com/tw/support/technical-support"}], "source": {"discovery": "EXTERNAL"}, "title": "OnCell G3470A-LTE Series: Authenticated Command Injection via sendTestEmail", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Moxa recommends users to implement the following mitigations if necessary: </p><ul><li>Minimize network exposure to ensure the device is not accessible from the Internet. </li><li>When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). </li><li>The starting point of all the above vulnerabilities is from the web service, so it is suggested to disable web service temporarily if you completed configuration to prevent further damages from these vulnerabilities until installed patch or updated firmware.\u202f</li></ul>"}], "value": "Moxa recommends users to implement the following mitigations if necessary: \n\n * Minimize network exposure to ensure the device is not accessible from the Internet. \n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). \n * The starting point of all the above vulnerabilities is from the web service, so it is suggested to disable web service temporarily if you completed configuration to prevent further damages from these vulnerabilities until installed patch or updated firmware."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-25T13:15:03.203557Z", "id": "CVE-2024-4640", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-25T13:15:08.856Z"}}]}}