From 2d3d68bb54684a64ea640a6783375f78ea5ece86 Mon Sep 17 00:00:00 2001 From: cvelistV5 Github Action Date: Fri, 3 Jan 2025 08:33:19 +0000 Subject: [PATCH] 1 changes (1 new | 0 updated): - 1 new CVEs: CVE-2024-9140 - 0 updated CVEs: --- cves/2024/9xxx/CVE-2024-9140.json | 255 ++++++++++++++++++++++++++++++ cves/delta.json | 18 +-- cves/deltaLog.json | 14 ++ 3 files changed, 275 insertions(+), 12 deletions(-) create mode 100644 cves/2024/9xxx/CVE-2024-9140.json diff --git a/cves/2024/9xxx/CVE-2024-9140.json b/cves/2024/9xxx/CVE-2024-9140.json new file mode 100644 index 000000000000..af932751b334 --- /dev/null +++ b/cves/2024/9xxx/CVE-2024-9140.json @@ -0,0 +1,255 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.1", + "cveMetadata": { + "cveId": "CVE-2024-9140", + "assignerOrgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa", + "state": "PUBLISHED", + "assignerShortName": "Moxa", + "dateReserved": "2024-09-24T07:11:44.997Z", + "datePublished": "2025-01-03T08:26:18.298Z", + "dateUpdated": "2025-01-03T08:26:18.298Z" + }, + "containers": { + "cna": { + "affected": [ + { + "defaultStatus": "unaffected", + "product": "EDR-8010 Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "3.13.1", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "product": "EDR-G9004 Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "3.13.1", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "product": "EDR-G9010 Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "3.13.1", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "product": "EDF-G1002-BP Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "3.13.1", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "product": "NAT-102 Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "1.0.5", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "product": "OnCell G4302-LTE4 Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "3.13", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + }, + { + "defaultStatus": "unaffected", + "product": "TN-4900 Series", + "vendor": "Moxa", + "versions": [ + { + "lessThanOrEqual": "3.13", + "status": "affected", + "version": "1.0", + "versionType": "custom" + } + ] + } + ], + "credits": [ + { + "lang": "en", + "type": "finder", + "value": "Lars Haulin" + } + ], + "descriptions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality.

" + } + ], + "value": "Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality." + } + ], + "impacts": [ + { + "capecId": "CAPEC-88", + "descriptions": [ + { + "lang": "en", + "value": "CAPEC-88: OS Command Injection" + } + ] + } + ], + "metrics": [ + { + "cvssV4_0": { + "Automatable": "NOT_DEFINED", + "Recovery": "NOT_DEFINED", + "Safety": "NOT_DEFINED", + "attackComplexity": "LOW", + "attackRequirements": "NONE", + "attackVector": "NETWORK", + "baseScore": 9.3, + "baseSeverity": "CRITICAL", + "privilegesRequired": "NONE", + "providerUrgency": "NOT_DEFINED", + "subAvailabilityImpact": "NONE", + "subConfidentialityImpact": "NONE", + "subIntegrityImpact": "NONE", + "userInteraction": "NONE", + "valueDensity": "NOT_DEFINED", + "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", + "version": "4.0", + "vulnAvailabilityImpact": "HIGH", + "vulnConfidentialityImpact": "HIGH", + "vulnIntegrityImpact": "HIGH", + "vulnerabilityResponseEffort": "NOT_DEFINED" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + }, + { + "cvssV3_1": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "HIGH", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + "format": "CVSS", + "scenarios": [ + { + "lang": "en", + "value": "GENERAL" + } + ] + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "cweId": "CWE-78", + "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)", + "lang": "en", + "type": "CWE" + } + ] + } + ], + "providerMetadata": { + "orgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa", + "shortName": "Moxa", + "dateUpdated": "2025-01-03T08:26:18.298Z" + }, + "references": [ + { + "tags": [ + "vendor-advisory" + ], + "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo" + } + ], + "solutions": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "

Moxa has developed appropriate solutions to address vulnerability. The solutions for the affected products are listed below.



" + } + ], + "value": "Moxa has developed appropriate solutions to address vulnerability. The solutions for the affected products are listed below.\n\n\n\n * EDR-8010 Series: Upgrade to the firmware version 3.14 https://www.moxa.com/en/products/industrial-network-infrastructure/secure-routers/secure-routers/edr-8010-series#resources  or later\n * EDR-G9004 Series: Upgrade to the firmware version 3.14 https://www.moxa.com/en/products/industrial-network-infrastructure/secure-routers/secure-routers/edr-g9004-series#resources  or later\n * EDR-G9010 Series: Upgrade to the firmware version 3.14 https://www.moxa.com/en/products/industrial-network-infrastructure/secure-routers/secure-routers/edr-g9010-series#resources  or later\n * EDF-G1002-BP Series: Upgrade to the firmware version 3.14 https://www.moxa.com/en/products/industrial-network-infrastructure/network-security-appliance/edf-g1002-bp-series#resources  or later\n * NAT-102 Series: An official patch or firmware update is not currently available for this product. Please refer to the Mitigations section below for recommended measures to address the vulnerability.\n * OnCell G4302-LTE4 Series: Please contact Moxa Technical Support https://www.moxa.com/support/support/technical-support  for the security patch\n * TN-4900 Series: Please contact Moxa Technical Support https://www.moxa.com/support/support/technical-support  for the security patch" + } + ], + "source": { + "discovery": "EXTERNAL" + }, + "workarounds": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "" + } + ], + "value": "* Minimize network exposure to ensure the device is not accessible from the Internet.\n\n\n * Limit SSH access to trusted IP addresses and networks using firewall rules or TCP wrappers.\n\n\n * Implement IDS or Intrusion Prevention System (IPS) to detect and prevent exploitation attempts. These systems can provide an additional layer of defense by monitoring network traffic for signs of attacks." + } + ], + "x_generator": { + "engine": "Vulnogram 0.2.0" + } + } + } +} \ No newline at end of file diff --git a/cves/delta.json b/cves/delta.json index d7537f3e08cb..9cc77513cc4d 100644 --- a/cves/delta.json +++ b/cves/delta.json @@ -1,18 +1,12 @@ { - "fetchTime": "2025-01-03T08:22:32.294Z", - "numberOfChanges": 2, + "fetchTime": "2025-01-03T08:33:06.971Z", + "numberOfChanges": 1, "new": [ { - "cveId": "CVE-2024-12132", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-12132", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/12xxx/CVE-2024-12132.json", - "dateUpdated": "2025-01-03T08:22:21.179Z" - }, - { - "cveId": "CVE-2024-9138", - "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9138", - "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9138.json", - "dateUpdated": "2025-01-03T08:14:31.588Z" + "cveId": "CVE-2024-9140", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9140", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9140.json", + "dateUpdated": "2025-01-03T08:26:18.298Z" } ], "updated": [], diff --git a/cves/deltaLog.json b/cves/deltaLog.json index 2708a7a93238..40ce986c6221 100644 --- a/cves/deltaLog.json +++ b/cves/deltaLog.json @@ -1,4 +1,18 @@ [ + { + "fetchTime": "2025-01-03T08:33:06.971Z", + "numberOfChanges": 1, + "new": [ + { + "cveId": "CVE-2024-9140", + "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2024-9140", + "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2024/9xxx/CVE-2024-9140.json", + "dateUpdated": "2025-01-03T08:26:18.298Z" + } + ], + "updated": [], + "error": [] + }, { "fetchTime": "2025-01-03T08:22:32.294Z", "numberOfChanges": 2,