CVE-2024-4639

OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in IPSec configuration. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities	Vendor Advisory
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:moxa:oncell_g3470a-lte-eu-t_firmware::::::::
	cpe:2.3:o:moxa:oncell_g3470a-lte-eu_firmware::::::::
	cpe:2.3:o:moxa:oncell_g3470a-lte-us-t_firmware::::::::
	cpe:2.3:o:moxa:oncell_g3470a-lte-us_firmware::::::::

OR	cpe:2.3:h:moxa:oncell_g3470a-lte-eu:-:::::::*
	cpe:2.3:h:moxa:oncell_g3470a-lte-eu-t:-:::::::*
	cpe:2.3:h:moxa:oncell_g3470a-lte-us:-:::::::*
	cpe:2.3:h:moxa:oncell_g3470a-lte-us-t:-:::::::*

History

No history.

Information

Published : 2024-06-25 10:15

Updated : 2024-11-21 09:43

NVD link : CVE-2024-4639

Mitre link : CVE-2024-4639

CVE.ORG link : CVE-2024-4639

JSON object : View

Products Affected

moxa

oncell_g3470a-lte-us-t_firmware
oncell_g3470a-lte-us-t
oncell_g3470a-lte-eu-t
oncell_g3470a-lte-us_firmware
oncell_g3470a-lte-us
oncell_g3470a-lte-eu_firmware
oncell_g3470a-lte-eu-t_firmware
oncell_g3470a-lte-eu

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2024-4639", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@moxa.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-06-25T10:15:19.897", "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities", "tags": ["Vendor Advisory"], "source": "psirt@moxa.com"}, {"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-242550-oncell-g3470a-lte-series-multiple-web-application-vulnerabilities", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@moxa.com", "description": [{"lang": "en", "value": "CWE-77"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in IPSec configuration. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands."}, {"lang": "es", "value": "Las versiones de firmware de la serie OnCell G3470A-LTE v1.7.7 y anteriores han sido identificadas como vulnerables debido a la falta de entradas neutralizadas en la configuraci\u00f3n IPSec. Un atacante podr\u00eda modificar los comandos previstos enviados a las funciones de destino, lo que podr\u00eda provocar que usuarios malintencionados ejecuten comandos no autorizados."}], "lastModified": "2024-11-21T09:43:15.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:oncell_g3470a-lte-eu-t_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E18DFB2B-98A9-49B4-9338-404DDD5D03DE", "versionEndIncluding": "1.7.7"}, {"criteria": "cpe:2.3:o:moxa:oncell_g3470a-lte-eu_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D66E977-C246-4AE1-B98A-C5E53B05AEE4", "versionEndIncluding": "1.7.7"}, {"criteria": "cpe:2.3:o:moxa:oncell_g3470a-lte-us-t_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9F52AF7-B4F6-4A74-AB10-EE7BED739E1B", "versionEndIncluding": "1.7.7"}, {"criteria": "cpe:2.3:o:moxa:oncell_g3470a-lte-us_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2530C6D4-CA66-4932-A943-FA8318819868", "versionEndIncluding": "1.7.7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:oncell_g3470a-lte-eu:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "620CD649-90E9-422A-9FF7-51C2FFF2DFDD"}, {"criteria": "cpe:2.3:h:moxa:oncell_g3470a-lte-eu-t:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4E97DFAB-1D6E-4110-89C1-DD5616A6320B"}, {"criteria": "cpe:2.3:h:moxa:oncell_g3470a-lte-us:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A14AC6DF-528B-479F-945C-B8268B22AD75"}, {"criteria": "cpe:2.3:h:moxa:oncell_g3470a-lte-us-t:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A599BB3F-33B0-434F-8F74-D4E77DA73EBB"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@moxa.com"}