CVE-2024-37023

Published: Aug 12, 2024Modified: Aug 20, 2024

9.4

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: ics-cert@hq.dhs.gov (Secondary)

Description

Multiple OS command injection vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enable an authenticated remote attacker to execute arbitrary OS commands via various endpoint parameters.

Affected (14)

Products: Vonets: Var1200 H Firmware, Var1200 L Firmware, Var600 H Firmware, Vap11ac Firmware, Vap11g 500s Firmware, Vbg1200 Firmware, Vap11s 5g Firmware, Vap11s Firmware, Var11n 300 Firmware, Vap11g 300 Firmware, Vap11n 300 Firmware, Vap11g Firmware, Vap11g 500 Firmware, Vga 1000 Firmware

14 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Var1200 H Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Var1200 H	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Var1200 L Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Var1200 L	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Var600 H Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Var600 H	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11ac Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11ac	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11g 500s Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11g 500s	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vbg1200 Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vbg1200	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11s 5g Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11s 5g	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11s Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11s	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Var11n 300 Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Var11n 300	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11g 300 Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11g 300	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11n 300 Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11n 300	All versions

Configuration L

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11g Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11g	All versions

Configuration M

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vap11g 500 Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vap11g 500	All versions

Configuration N

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Vonets Vga 1000 Firmware	Up to 3.3.23.6.9

Running on/with	Platform Versions
Vonets Vga 1000	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-08

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.