Exploit
CVE-2024-5947

Missing Authentication for Critical Function (CWE-306)

Published: Jun 13, 2024 / Updated: 5mo ago

010
CVSS 6.5EPSS 0.04%Medium
CVE info copied to clipboard

Summary

This vulnerability affects Deep Sea Electronics DSE855 devices and allows network-adjacent attackers to disclose sensitive information without requiring authentication. The specific flaw exists within the web-based UI, where there is a lack of authentication prior to allowing access to functionality. This issue falls under the category of Missing Authentication for Critical Function (CWE-306).

Impact

An attacker can exploit this vulnerability to disclose stored credentials, which could lead to further compromise of the affected systems. The confidentiality impact is high, while integrity and availability impacts are none. The attack vector is adjacent network, meaning the attacker needs to be on the same network segment as the vulnerable device. The attack complexity is low, requiring no user interaction or privileges to execute.

Exploitation

Multiple proof-of-concept exploits are available on zerodayinitiative.com, github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided (June 13, 2024), no patch is available for this vulnerability. The vendor has been unresponsive to the Zero Day Initiative's attempts to report and coordinate the vulnerability disclosure. The vulnerability is being published as a zero-day advisory due to the lack of vendor response.

Mitigation

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. This may involve network segmentation to limit access to the DSE855 devices only to trusted systems and users.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-5947

Jun 13, 2024 at 8:15 PM
First Article

Feedly found the first article mentioning CVE-2024-5947. See article

Jun 13, 2024 at 8:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jun 13, 2024 at 8:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9%)

Jun 14, 2024 at 10:06 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Jul 1, 2024 at 10:46 PM / zdi-advisories
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731737)

Sep 2, 2024 at 7:53 AM
Threat Intelligence Report

CVE-2024-5947 is a vulnerability with a CVSS v3.1 base score of 6.5 and a CVSS v4 base score of 7.1, indicating a moderate to high criticality. The details provided do not specify whether it is being exploited in the wild, nor do they mention any proof-of-concept exploits, mitigations, detections, patches, or downstream impacts to third-party vendors or technology. Further investigation would be necessary to assess the full scope and implications of this vulnerability. See article

Oct 24, 2024 at 1:53 PM
Static CVE Timeline Graph

Affected Systems

Deepseaelectronics/dse855_firmware
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-671/
+null more

Attack Patterns

CAPEC-12: Choosing Message Identifier
+null more

Vendor Advisory

ZDI-24-671: (0Day) Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. 02/14/24 – ZDI emphasized our intent to responsibly disclose this vulnerability to Deep Sea for remediation.

References

Deep Sea Electronics DSE855
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available.

News

Critical ICS Vulnerabilities Exposed: CISA Advisories Urge Immediate Action
The vulnerabilities identified range from path traversal issues to improper access control and even authentication flaws, all of which pose online risks to the integrity and confidentiality of ICS networks. Cyble Research & Intelligence Labs (CRIL) has released a new report focusing on critical Industrial Control System (ICS) vulnerabilities, with insights derived from recent advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA).
ICS Vulnerability Intelligence Report: Key Insights and Recommendations
During this reporting period, CISA issued four security advisories targeting vulnerabilities across various Industrial Control Systems, including those from ICONICS, Mitsubishi Electric, VIMESA, iniNet Solutions, and Deep Sea Electronics. These advisories pinpoint ICS vulnerabilities that security teams should prioritize for immediate patching to mitigate potential risks.
CISA issues four ICS advisories highlighting hardware vulnerabilities in critical infrastructure equipment
The agency disclosed hardware vulnerabilities in equipment from VIMESA, iniNet Solutions, Deep Sea Electronics, and OMNTEC used across the critical infrastructure sector. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released four ICS (industrial control systems) advisories providing timely information about current security issues, vulnerabilities, and exploits surrounding these environments.
Deep Sea Electronics DSE855
Vulnerability : Missing Authentication for Critical Function The following versions of Deep Sea Electronics DSE855, an ethernet communications device, are affected:
Deep Sea Electronics DSE855
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
See 25 more articles and social media posts

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI