CVE-2024-51500

Failure to check for packets from the broadcast address allows potential DDoS amplification attack in Meshtastic firmware

Description

Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does not check for packets claiming to be from the special broadcast address (0xFFFFFFFF) which could result in unexpected behavior and potential for DDoS attacks on the network. A malicious actor could craft a packet to be from that address which would result in an amplification of this one message into every node on the network sending multiple messages. Such an attack could result in degraded network performance for all users as the available bandwidth is consumed. This issue has been addressed in release version 2.5.6. All users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-11-04T23:00:31.876Z

Last Modified :

2024-11-05T16:49:57.752Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2024-51500 vulnerability.

Vendors	Products
Meshtastic	Firmware Meshtastic Firmware

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-51500.

URL	Resource
https://github.com/meshtastic/firmware/security/advisories/GHSA-xfmq-5j3j-vgv8

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact