CVE-2024-40893
CVSS V2 None
CVSS V3 None
Description
Multiple authenticated operating system (OS) command injection vulnerabilities exist in Firewalla Box Software
versions before 1.979. A physically close
attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters including networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes.
Overview
- CVE ID
- CVE-2024-40893
- Assigner
- VulnCheck
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-08-12T18:49:51.384Z
- Last Modified Date
- 2024-08-12T18:49:51.384Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://vulncheck.com/advisories/firewalla-bt-command-injection |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-40893 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40893 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-08-13 13:03:17 | Added to TrackCVE |