CVE-2024-38279

The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:motorola:vigilant_fixed_lpr_coms_box_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:motorola:vigilant_fixed_lpr_coms_box:-:*:*:*:*:*:*:*

History

03 Oct 2024, 17:32

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.6
CPE		cpe:2.3:h:motorola:vigilant_fixed_lpr_coms_box:-:::::::* cpe:2.3:o:motorola:vigilant_fixed_lpr_coms_box_firmware::::::::
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19 - Third Party Advisory, US Government Resource
First Time		Motorola vigilant Fixed Lpr Coms Box Firmware Motorola Motorola vigilant Fixed Lpr Coms Box
CWE		CWE-306
Summary		(es) El producto afectado es vulnerable a que un atacante modifique el gestor de arranque mediante el uso de argumentos personalizados para eludir la autenticación y obtener acceso al sistema de archivos y obtener hashes de contraseña.

13 Jun 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-13 17:15

Updated : 2024-10-03 17:32

NVD link : CVE-2024-38279

Mitre link : CVE-2024-38279

CVE.ORG link : CVE-2024-38279

JSON object : View

Products Affected

motorola

vigilant_fixed_lpr_coms_box_firmware
vigilant_fixed_lpr_coms_box

CWE

CWE-306

Missing Authentication for Critical Function

CWE-288

Authentication Bypass Using an Alternate Path or Channel

{"id": "CVE-2024-38279", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 5.1, "automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-06-13T17:15:51.193", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes."}, {"lang": "es", "value": "El producto afectado es vulnerable a que un atacante modifique el gestor de arranque mediante el uso de argumentos personalizados para eludir la autenticaci\u00f3n y obtener acceso al sistema de archivos y obtener hashes de contrase\u00f1a."}], "lastModified": "2024-10-03T17:32:14.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:motorola:vigilant_fixed_lpr_coms_box_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E85B1E9A-C212-4469-AA63-243CDB7187B3", "versionEndIncluding": "3.1.171.9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:motorola:vigilant_fixed_lpr_coms_box:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BC3B1257-7688-48D0-8BDA-6E651746FDBB"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}