CVE-2024-51424

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 30, 2024 / Updated: 20d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

An issue in Ethereum v.1.12.2 allows remote attacker to execute arbitrary code via the Owned.setOwner function

Impact

This vulnerability has a critical impact. It allows remote attackers to execute arbitrary code on the affected system without requiring any user interaction or privileges. This can lead to complete system compromise, including unauthorized access to sensitive data, modification of system settings, and potential disruption of services. The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as "HIGH" impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch. Users of Ethereum v.1.12.2 should monitor official Ethereum communication channels for patch information and update instructions.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Limit network access to the affected Ethereum nodes, especially the Owned.setOwner function, to trusted IP addresses only. 2. Monitor systems running Ethereum v.1.12.2 for any suspicious activities or unauthorized changes. 3. If possible, consider temporarily disabling or restricting access to the Owned.setOwner function until a patch is available. 4. Implement additional security layers such as intrusion detection systems (IDS) and web application firewalls (WAF) to detect and block potential exploit attempts. 5. Regularly backup critical data and ensure the ability to quickly restore systems in case of compromise.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51424

Oct 30, 2024 at 9:15 PM
First Article

Feedly found the first article mentioning CVE-2024-51424. See article

Oct 30, 2024 at 9:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 9:31 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 31, 2024 at 9:57 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 31, 2024 at 4:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Ethereum/ethereum
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI