Description

Multiple authenticated operating system (OS) command injection vulnerabilities exist in Firewalla Box Software versions before 1.979. A physically close attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters including networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes.

INFO

Published Date :

2024-08-12T18:49:51.384Z

Last Modified :

2024-08-21T17:13:39.202Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2024-40893 vulnerability.

Vendors Products
Firewalla
  • Box Software
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-40893.

URL Resource
https://vulncheck.com/advisories/firewalla-bt-command-injection cve-icon cve-icon
https://www.labs.greynoise.io/grimoire/2024-08-20-bluuid-firewalla/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact