Exploit
CVE-2024-7470

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Aug 5, 2024 / Updated: 3mo ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in the Web Interface of Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 devices running firmware version 3.90. The vulnerability affects the sslvpn_config_mod function in the /vpn/vpn_template_style.php file. This issue allows for OS command injection through manipulation of the template/stylenum argument. The attack can be initiated remotely and does not require user interaction or privileges.

Impact

This vulnerability allows for remote code execution with high impact on confidentiality, integrity, and availability. Attackers could potentially gain full control over the affected devices, leading to unauthorized access to sensitive information, modification of system configurations, and disruption of network services. The vulnerability's criticality is underscored by its CVSS v3.1 base score of 9.8 (Critical), indicating a severe risk to the organization's network infrastructure and data security.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, no specific patch has been mentioned. The vulnerability disclosure notes that the vendor (Raisecom) was contacted but did not respond, suggesting that an official patch may not be available yet. Security teams should monitor for any updates or patches released by Raisecom for the affected devices and firmware versions.

Mitigation

Given the critical nature of this vulnerability and the lack of an official patch, immediate mitigation steps are crucial: 1. Implement strong network segmentation to isolate affected devices. 2. Apply strict access controls to limit remote access to the affected devices. 3. Monitor for any suspicious activities or unauthorized access attempts on the affected devices. 4. Consider disabling the SSL VPN functionality if not critically needed until a patch is available. 5. Regularly check for updates from Raisecom and apply any security patches as soon as they become available. 6. If possible, consider upgrading to newer device models or firmware versions that may not be affected by this vulnerability. 7. Implement intrusion detection/prevention systems (IDS/IPS) to detect and block potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7470. See article

Aug 5, 2024 at 4:03 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 5, 2024 at 4:04 AM
CVE Assignment

NVD published the first details for CVE-2024-7470

Aug 5, 2024 at 4:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Aug 5, 2024 at 4:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 17%)

Aug 6, 2024 at 10:12 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Aug 6, 2024 at 5:40 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Aug 6, 2024 at 7:11 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:11 PM / nvd
Static CVE Timeline Graph

Affected Systems

Raisecom/msg1200_firmware
+null more

Exploits

https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/sQrromK7x42JbLgY/Command%20Injection%20Vulnerability%20in%20RAISECOM%20Gateway%20Devices-vpn_template_style.php.pdf
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-7470 Exploit
CVE Id : CVE-2024-7470 Published Date: 2024-08-06T17:37:00+00:00 A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been rated as critical. This issue affects the function sslvpn_config_mod of the file /vpn/vpn_template_style.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273563. NOTE:
CVE-2024-7470
Critical Severity Description A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been rated as critical. This issue affects the function sslvpn_config_mod of the file /vpn/vpn_template_style.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273563. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Read more at https://www.tenable.com/cve/CVE-2024-7470
NA - CVE-2024-7470 - A vulnerability was found in Raisecom MSG1200,...
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been rated as critical. This issue affects the function sslvpn_config_mod of the file...
CVE-2024-7470
Gravedad 3.1 (CVSS 3.1 Base Score) This issue affects the function sslvpn_config_mod of the file /vpn/vpn_template_style.php of the component Web Interface.
cveNotify : 🚨 CVE-2024-7470A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been rated as critical. This issue affects the function sslvpn_config_mod of the file /vpn/vpn_template_style.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273563. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.🎖@cveNotify
cveNotify : 🚨 CVE-2024-7470A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been rated as critical. This issue affects the function sslvpn_config_mod of the file /vpn/vpn_template_style.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273563. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.🎖@cveNotify
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI