CVE-2024-51513

Improper Input Validation (CWE-20)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 5.5EPSS 0.04%Medium
CVE info copied to clipboard

Summary

A vulnerability has been identified in the VPN module where processes are not being fully terminated. This issue affects HarmonyOS version 5.0.0.

Impact

Successful exploitation of this vulnerability will affect power consumption. The CVSS v3.1 base score is 5.5, indicating a medium severity. The attack vector is local, requiring low privileges and no user interaction. While there is no impact on confidentiality or integrity, the availability impact is high. This suggests that the main consequence of the vulnerability is increased power consumption, which could potentially lead to device battery drain or overheating.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Huawei has released a security bulletin on November 7, 2024, which can be found at https://consumer.huawei.com/en/support/bulletin/2024/11/.

Mitigation

1. Apply the patch provided by Huawei as soon as possible. 2. Monitor and manage local access to affected devices, as the attack vector is local. 3. Keep the VPN module and HarmonyOS updated to the latest version. 4. Implement the principle of least privilege to minimize the potential for exploitation. 5. Monitor affected devices for unusual power consumption patterns that may indicate exploitation.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-51513. See article

Nov 5, 2024 at 8:32 AM / <object object at 0x79b19ecc4180>
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 5, 2024 at 8:53 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 5, 2024 at 8:55 AM
CVE Assignment

NVD published the first details for CVE-2024-51513

Nov 5, 2024 at 9:15 AM
CVSS

A CVSS base score of 5.5 has been assigned.

Nov 5, 2024 at 9:20 AM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 11:56 AM
Static CVE Timeline Graph

Affected Systems

Huawei/harmonyos
+null more

Patches

consumer.huawei.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

References

Huawei lists EMUI and HarmonyOS November 2024 security patch details
We’re on 5th November 2024 and Huawei has revealed new security patch details for its EMUI and HarmonyOS devices. Huawei has eliminated around 21 vulnerabilities with the November 2024 security patch for EMUI and HarmonyOS models.

News

Huawei lists EMUI and HarmonyOS November 2024 security patch details
We’re on 5th November 2024 and Huawei has revealed new security patch details for its EMUI and HarmonyOS devices. Huawei has eliminated around 21 vulnerabilities with the November 2024 security patch for EMUI and HarmonyOS models.
CVE-2024-51513 | Huawei HarmonyOS 5.0.0 VPN Module denial of service
A vulnerability was found in Huawei HarmonyOS 5.0.0 . It has been rated as problematic . Affected by this issue is some unknown functionality of the component VPN Module . The manipulation leads to denial of service. This vulnerability is handled as CVE-2024-51513 . It is possible to launch the attack on the local host. There is no exploit available.
CVE-2024-51513 - Cisco VPN Process Termination Vulnerability
CVE ID : CVE-2024-51513 Published : Nov. 5, 2024, 9:15 a.m. 49 minutes ago Description : Vulnerability of processes not being fully terminated in the VPN module Impact: Successful exploitation of this vulnerability will affect power consumption. Severity: 5.5
CVE-2024-51513
Vulnerability of processes not being fully terminated in the VPN module Impact: Successful exploitation of this vulnerability will affect power...
CVE-2024-51513
Vulnerability of processes not being fully terminated in the VPN module Impact: Successful exploitation of this vulnerability will affect power consumption.
See 2 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:None
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI