CVE-2024-51299

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 30, 2024 / Updated: 20d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In Draytek Vigor3900 version 1.5.1.3, there is a vulnerability that allows attackers to inject malicious commands into the mainfunction.cgi file and execute arbitrary commands by calling the dumpSyslog function. This is classified as a command injection vulnerability (CWE-77: Improper Neutralization of Special Elements used in a Command).

Impact

The impact of this vulnerability is severe. Attackers can execute arbitrary commands on the affected system, potentially leading to complete system compromise. With a CVSS v3.1 base score of 8.8 (High), this vulnerability has high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires low attack complexity, and no user interaction, making it relatively easy for attackers to exploit. The attacker needs low privileges to execute the attack, which further increases the risk.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information provided, there is no mention of an available patch for this vulnerability. The affected version is Draytek Vigor3900 1.5.1.3, and users should monitor Draytek's official channels for patch announcements.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Restrict network access to the Draytek Vigor3900 device, especially to the mainfunction.cgi file. 2. Implement strong network segmentation to isolate the affected device. 3. Monitor for suspicious activities, particularly any attempts to access mainfunction.cgi or calls to the dumpSyslog function. 4. If possible, disable or restrict access to the dumpSyslog function. 5. Regularly audit and review system logs for any signs of exploitation attempts. 6. Consider upgrading to a newer version of the firmware if available, or replacing the device with a more secure alternative if critical operations depend on it.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51299

Oct 30, 2024 at 2:15 PM
First Article

Feedly found the first article mentioning CVE-2024-51299. See article

Oct 30, 2024 at 2:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 2:22 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 30, 2024 at 6:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 31, 2024 at 10:14 AM
Static CVE Timeline Graph

Affected Systems

Draytek/vigor3900_firmware
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI