CVE-2024-9579

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 7.5EPSS 0.04%High
CVE info copied to clipboard

Summary

A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.

Impact

This vulnerability could potentially lead to high impacts on integrity, availability, and confidentiality of the affected systems. The attack vector is from an adjacent network, requires no user interaction, and needs no privileges to exploit. However, the attack complexity is high, which may limit its immediate exploitability. If successfully exploited as part of a layered attack, an attacker could potentially execute arbitrary commands on the affected devices, leading to unauthorized access, data manipulation, or system disruption.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. HP has released firmware updates to address this vulnerability.

Mitigation

1. Update the firmware of affected Poly video conferencing devices to the latest versions: - Poly TC8 and TC10: Update to version 6.3.2 or later - Poly Studio G7500, X50, X70, X52, and G62: Update to version 4.3.2 or later - Poly Studio X30: Update to a version after 4.3.2 2. Implement network segmentation to isolate video conferencing devices from other critical systems. 3. Monitor for any suspicious activities or unauthorized access attempts on these devices. 4. Apply the principle of least privilege for user accounts interacting with these devices. 5. Regularly review and update security configurations for all video conferencing equipment.

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9579

Nov 5, 2024 at 5:15 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Nov 5, 2024 at 5:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9579. See article

Nov 5, 2024 at 5:21 PM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 5, 2024 at 5:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 10:26 AM
Static CVE Timeline Graph

Affected Systems

Hp/poly_studio_x52_firmware
+null more

Patches

support.hp.com
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

CVE Alert: CVE-2024-9579
Everyone that supports the site helps enable new functionality. No affected endpoints listed.
Poly Video Conferencing Devices Vulnerable to Firmware Flaw
HP, Inc. - HIGH - CVE-2024-9579 A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.
CVE-2024-9579
A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by...
CVE-2024-9579
A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.
CVE-2024-9579 | HP Poly Video Conference Device command injection
A vulnerability classified as critical has been found in HP Poly Video Conference Device . This affects an unknown part. The manipulation leads to command injection. This vulnerability is uniquely identified as CVE-2024-9579 . Access to the local network is required for this attack to succeed. There is no exploit available.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Adjacent_network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI