CVE-2022-26941

A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://tetraburst.com/	Technical Description
https://tetraburst.com/	Technical Description

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:54

Type	Values Removed	Values Added
References	~~() https://tetraburst.com/ - Technical Description~~	() https://tetraburst.com/ - Technical Description
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 9.6

25 Oct 2023, 18:31

Type	Values Removed	Values Added
CPE		cpe:2.3:h:motorola:mtm5400:-:::::::* cpe:2.3:o:motorola:mtm5400_firmware:-:::::::* cpe:2.3:h:motorola:mtm5500:-:::::::* cpe:2.3:o:motorola:mtm5500_firmware:-:::::::*
First Time		Motorola mtm5500 Motorola mtm5400 Motorola mtm5400 Firmware Motorola Motorola mtm5500 Firmware
CWE		CWE-134
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
References	~~(MISC) https://tetraburst.com/ -~~	(MISC) https://tetraburst.com/ - Technical Description

19 Oct 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-19 10:15

Updated : 2024-11-21 06:54

NVD link : CVE-2022-26941

Mitre link : CVE-2022-26941

CVE.ORG link : CVE-2022-26941

JSON object : View

Products Affected

motorola

mtm5500
mtm5400
mtm5500_firmware
mtm5400_firmware

CWE

CWE-134

Use of Externally-Controlled Format String

{"id": "CVE-2022-26941", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cert@ncsc.nl", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-10-19T10:15:09.860", "references": [{"url": "https://tetraburst.com/", "tags": ["Technical Description"], "source": "cert@ncsc.nl"}, {"url": "https://tetraburst.com/", "tags": ["Technical Description"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cert@ncsc.nl", "description": [{"lang": "en", "value": "CWE-134"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-134"}]}], "descriptions": [{"lang": "en", "value": "A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges."}, {"lang": "es", "value": "Existe una vulnerabilidad de cadena de formato en el controlador de comandos AT del firmware de la serie Motorola MTM5000 para el comando AT+CTGL. Una cadena controlable por un atacante se maneja incorrectamente, lo que permite un escenario en el que se puede escribir cualquier cosa en cualquier lugar. Esto se puede aprovechar para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario dentro del binario teds_app, que se ejecuta con privilegios de root."}], "lastModified": "2024-11-21T06:54:50.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cert@ncsc.nl"}