Common Weakness Enumeration

CWE-494

Allowed

Download of Code Without Integrity Check

Abstraction: Base · Status: Draft

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

292 vulnerabilities reference this CWE, most recent first.

GHSA-9M9P-VCP6-3MH5

Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30
VLAI
Details

The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-22T17:16:08Z",
    "severity": "HIGH"
  },
  "details": "The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware.",
  "id": "GHSA-9m9p-vcp6-3mh5",
  "modified": "2025-09-22T18:30:37Z",
  "published": "2025-09-22T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57431"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-57431"
    },
    {
      "type": "WEB",
      "url": "https://www.sound4.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MMM-86G7-VP9G

Vulnerability from github – Published: 2024-08-27 06:30 – Updated: 2024-08-27 15:32
VLAI
Details

The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-27T04:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.",
  "id": "GHSA-9mmm-86g7-vp9g",
  "modified": "2024-08-27T15:32:46Z",
  "published": "2024-08-27T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/miyagawa/cpanminus/issues/611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/miyagawa/cpanminus/pull/674"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QRF-QW9F-XPJ5

Vulnerability from github – Published: 2024-05-06 21:30 – Updated: 2024-08-01 15:31
VLAI
Details

LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary read vulnerability via the fileDownload method in class com.luckyframe.project.common.CommonController.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-06T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary read vulnerability via the fileDownload method in class com.luckyframe.project.common.CommonController.",
  "id": "GHSA-9qrf-qw9f-xpj5",
  "modified": "2024-08-01T15:31:43Z",
  "published": "2024-05-06T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33118"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/33118.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9V7F-RJ28-9X3V

Vulnerability from github – Published: 2022-05-24 00:01 – Updated: 2022-06-04 00:00
VLAI
Details

In Tipask < 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-23T16:16:00Z",
    "severity": "MODERATE"
  },
  "details": "In Tipask \u003c 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage.",
  "id": "GHSA-9v7f-rj28-9x3v",
  "modified": "2022-06-04T00:00:51Z",
  "published": "2022-05-24T00:01:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41714"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sdfsky/tipask/commit/9b5f13d1708e9a5dc0959cb8a97be1c32b94ca69"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sdfsky/tipask/blob/c4e6aa9f6017c9664780570016954c0922d203b7/app/Http/Controllers/AttachController.php#L42"
    },
    {
      "type": "WEB",
      "url": "https://www.yuque.com/henry-weply/penetration/fza5hm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9WV6-VW4X-JJG6

Vulnerability from github – Published: 2026-02-24 18:31 – Updated: 2026-03-31 12:31
VLAI
Details

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-24T16:24:06Z",
    "severity": "MODERATE"
  },
  "details": "Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.",
  "id": "GHSA-9wv6-vw4x-jjg6",
  "modified": "2026-03-31T12:31:34Z",
  "published": "2026-02-24T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47904"
    },
    {
      "type": "WEB",
      "url": "https://www.gruppotim.it/en/footer/TIM-red-team.html"
    },
    {
      "type": "WEB",
      "url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-unsigned-upgrade-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9XVF-CJVF-FF5Q

Vulnerability from github – Published: 2024-03-25 19:41 – Updated: 2024-03-25 19:41
VLAI
Summary
WP Crontrol vulnerable to possible RCE when combined with a pre-condition
Details

Impact

WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability.

This is exploitable on a site if one of the below preconditions are met:

  • The site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core
  • The site's database is compromised at the hosting level
  • The site is vulnerable to a method of updating arbitrary options in the wp_options table
  • The site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters

Patches

As a hardening measure, WP Crontrol version 1.16.2 ships with a new feature that prevents tampering of the code stored in a PHP cron event.

All PHP cron events are now secured via an integrity check that makes use of an HMAC to store a hash of the code alongside it when the event is saved. When the event runs, the hash is verified to ensure the code has not been tampered with. WP Crontrol will not execute the PHP code if the hash cannot be verified or if a stored hash is not present. If an attacker with database-level access were to modify the code in an event in an attempt to execute arbitrary code, the code would no longer execute.

Any PHP cron events that exist in the database prior to updating to version 1.16.2 will cease to execute until an administrative user re-saves them from the Cron Events screen in the admin area. A notice will be shown in the admin area informing administrative users if this is the case.

Workarounds

Given that one or more of the preconditions listed above are met, there are no known workarounds for this issue other than to update WP Crontrol to version 1.16.2 or later.

Note that neither the DISALLOW_FILE_MODS constant nor the DISALLOW_FILE_EDIT constant prevent this from being exploitable because these constants do not prevent PHP cron events from being executed. It's an intended feature of WP Crontrol that PHP cron events in the database will continue to run according to their schedule even if editing PHP cron events is disabled due to one of these constants being defined.

FAQ

Is my site at risk?

Your site is only at risk if at least one of the preconditions listed above are met and an attacker is actively attacking your site in order to exploit this. There is no known vulnerability in this feature on its own.

Why is this classified as high severity?

The CVSS score is used to classify the severity of a vulnerability in isolation, which in this case is high due to the possibility of RCE. The actual risk is likely to be low and is dependent entirely on one of the preconditions being met.

How is this any different to an SQLi vulnerability that would allow an attacker to create an Administrator user and then access the theme or plugin editor?

The difference is in the handling of the DISALLOW_FILE_MODS and DISALLOW_FILE_EDIT constants. With either one of these constants defined in your wp-config.php file then the plugin and theme editors are disabled. In WP Crontrol the ability to edit PHP cron events in WP Crontrol is also disabled in this case, however PHP cron events in the database will continue to run according to their schedule.

Thanks

This issue was identified by John Blackbourn, the author of the WP Crontrol plugin.

Thanks go to:

  • Calvin Alkan for researching and reporting many vulnerabilities in WordPress plugins and for publishing the details on the snicco blog. Calvin's work prompted me to investigate whether the PHP cron event functionality in WP Crontrol could be exploited when attacked via with vulnerability chaining, and he collaborated on this security advisory.
  • Joe Hoyle for collaborating on this advisory.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "johnbillion/wp-crontrol"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:41:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code [subject to the restrictive security permissions documented here](https://wp-crontrol.com/docs/php-cron-events/). While there is _no known vulnerability in this feature on its own_, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability.\n\nThis is exploitable on a site if one of the below preconditions are met:\n\n* The site is vulnerable to a writeable SQLi vulnerability in any plugin, theme, or WordPress core\n* The site\u0027s database is compromised at the hosting level\n* The site is vulnerable to a method of updating arbitrary options in the `wp_options` table\n* The site is vulnerable to a method of triggering an arbitrary action, filter, or function with control of the parameters\n\n### Patches\n\nAs a hardening measure, WP Crontrol version 1.16.2 ships with a new feature that prevents tampering of the code stored in a PHP cron event.\n\nAll PHP cron events are now secured via an integrity check that makes use of an HMAC to store a hash of the code alongside it when the event is saved. When the event runs, the hash is verified to ensure the code has not been tampered with. WP Crontrol will not execute the PHP code if the hash cannot be verified or if a stored hash is not present. If an attacker with database-level access were to modify the code in an event in an attempt to execute arbitrary code, the code would no longer execute.\n\nAny PHP cron events that exist in the database prior to updating to version 1.16.2 will cease to execute until an administrative user re-saves them from the Cron Events screen in the admin area. A notice will be shown in the admin area informing administrative users if this is the case.\n\n### Workarounds\n\nGiven that one or more of the preconditions listed above are met, there are no known workarounds for this issue other than to update WP Crontrol to version 1.16.2 or later.\n\nNote that neither the `DISALLOW_FILE_MODS` constant nor the `DISALLOW_FILE_EDIT` constant prevent this from being exploitable because these constants do not prevent PHP cron events from being _executed_. It\u0027s an intended feature of WP Crontrol that PHP cron events in the database will continue to run according to their schedule even if editing PHP cron events is disabled due to one of these constants being defined.\n\n### FAQ\n\n#### Is my site at risk?\n\nYour site is only at risk if at least one of the preconditions listed above are met and an attacker is actively attacking your site in order to exploit this. There is no known vulnerability in this feature on its own.\n\n#### Why is this classified as high severity?\n\nThe CVSS score is used to classify the severity of a vulnerability in isolation, which in this case is high due to the possibility of RCE. The actual risk is likely to be low and is dependent entirely on one of the preconditions being met.\n\n#### How is this any different to an SQLi vulnerability that would allow an attacker to create an Administrator user and then access the theme or plugin editor?\n\nThe difference is in the handling of the `DISALLOW_FILE_MODS` and `DISALLOW_FILE_EDIT` constants. With either one of these constants defined in your wp-config.php file then the plugin and theme editors are disabled. In WP Crontrol the ability to _edit_ PHP cron events in WP Crontrol is also disabled in this case, however PHP cron events in the database will continue to run according to their schedule.\n\n### Thanks\n\nThis issue was identified by John Blackbourn, the author of the WP Crontrol plugin.\n\nThanks go to:\n\n* Calvin Alkan for researching and reporting many vulnerabilities in WordPress plugins and for [publishing the details on the snicco blog](https://snicco.io/vulnerability-disclosure). Calvin\u0027s work prompted me to investigate whether the PHP cron event functionality in WP Crontrol could be exploited when attacked via with vulnerability chaining, and he collaborated on this security advisory.\n* Joe Hoyle for collaborating on this advisory.",
  "id": "GHSA-9xvf-cjvf-ff5q",
  "modified": "2024-03-25T19:41:37Z",
  "published": "2024-03-25T19:41:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/johnbillion/wp-crontrol/security/advisories/GHSA-9xvf-cjvf-ff5q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/johnbillion/wp-crontrol/commit/6d1fadcf6dfdd54e55feef27f916b0cfcd602405"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/johnbillion/wp-crontrol"
    },
    {
      "type": "WEB",
      "url": "https://github.com/johnbillion/wp-crontrol/releases/tag/1.16.2"
    },
    {
      "type": "WEB",
      "url": "https://snicco.io/vulnerability-disclosure"
    },
    {
      "type": "WEB",
      "url": "https://wp-crontrol.com/docs/php-cron-events"
    },
    {
      "type": "WEB",
      "url": "https://wp-crontrol.com/help/check-php-cron-events"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WP Crontrol vulnerable to possible RCE when combined with a pre-condition"
}

GHSA-C4J3-6346-FQQX

Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-17 00:01
VLAI
Details

A vulnerability exists in the file upload validation part of Hitachi Energy TXpert Hub CoreTec 4 product. The vulnerability allows an attacker or malicious agent who manages to gain access to the system and obtain an account with sufficient privilege to upload a malicious firmware to the product. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0; 2.0.1; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in the file upload validation part of Hitachi Energy TXpert Hub CoreTec 4 product. The vulnerability allows an attacker or malicious agent who manages to gain access to the system and obtain an account with sufficient privilege to upload a malicious firmware to the product. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0; 2.0.1; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.",
  "id": "GHSA-c4j3-6346-fqqx",
  "modified": "2022-06-17T00:01:27Z",
  "published": "2022-06-08T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35532"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000080\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\u0026utm_campaign=\u0026utm_content=2022.04_5763_Cybersecurity%20Advisory%20Update_May_03\u0026utm_medium=email\u0026utm_source=Eloqua"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5G4-G3X7-X8RM

Vulnerability from github – Published: 2024-02-06 03:32 – Updated: 2024-02-13 18:38
VLAI
Details

An issue in the com.oneed.dvr.service.DownloadFirmwareService component of IMOU GO v1.0.11 allows attackers to force the download of arbitrary files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T01:15:08Z",
    "severity": "HIGH"
  },
  "details": "An issue in the com.oneed.dvr.service.DownloadFirmwareService component of IMOU GO v1.0.11 allows attackers to force the download of arbitrary files.",
  "id": "GHSA-c5g4-g3x7-x8rm",
  "modified": "2024-02-13T18:38:22Z",
  "published": "2024-02-06T03:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actuator/imou/blob/main/com.dahua.imou.go-V1.0.11.md"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.dahua.imou.go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C99V-PF2H-3C56

Vulnerability from github – Published: 2022-05-02 00:00 – Updated: 2024-02-15 21:31
VLAI
Details

Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-08-01T14:41:00Z",
    "severity": "HIGH"
  },
  "details": "Apple Mac OS X does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.",
  "id": "GHSA-c99v-pf2h-3c56",
  "modified": "2024-02-15T21:31:23Z",
  "published": "2022-05-02T00:00:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3438"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2008-07/0250.html"
    },
    {
      "type": "WEB",
      "url": "http://www.infobyte.com.ar/down/Francisco%20Amato%20-%20evilgrade%20-%20ENG.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.infobyte.com.ar/down/isr-evilgrade-1.0.0.tar.gz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJX8-RRQG-M2XF

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30
VLAI
Details

A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Clients do not properly check the integrity of update files. This could allow an unauthenticated remote attacker to alter update files in transit and trick an authorized user into installing malicious code. A successful exploit requires the attacker to be able to modify the communication between server and client on the network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-494"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:16:45Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions \u003c V3.0.1.1). Affected SIMATIC RTLS Locating Manager Clients do not properly check the integrity of update files. This could allow an unauthenticated remote attacker to alter update files in transit and trick an authorized user into installing malicious code. \nA successful exploit requires the attacker to be able to modify the communication between server and client on the network.",
  "id": "GHSA-cjx8-rrqg-m2xf",
  "modified": "2024-05-14T18:30:59Z",
  "published": "2024-05-14T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30206"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-093430.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-42
Implementation

Perform proper forward and reverse DNS lookups to detect DNS spoofing.

Mitigation
Architecture and Design Operation
  • Encrypt the code with a reliable encryption scheme before transmitting.
  • This will only be a partial solution, since it will not detect DNS spoofing and it will not prevent your code from being modified on the hosting site.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Speficially, it may be helpful to use tools or frameworks to perform integrity checking on the transmitted code.
  • When providing the code that is to be downloaded, such as for automatic updates of the software, then use cryptographic signatures for the code and modify the download clients to verify the signatures. Ensure that the implementation does not contain CWE-295, CWE-320, CWE-347, and related weaknesses.
  • Use code signing technologies such as Authenticode. See references [REF-454] [REF-455] [REF-456].
Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Mitigation MIT-22
Architecture and Design Operation

Strategy: Sandbox or Jail

  • Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-184: Software Integrity Attack

An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.

CAPEC-185: Malicious Software Download

An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.

CAPEC-186: Malicious Software Update

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

CAPEC-187: Malicious Automated Software Update via Redirection

An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.

CAPEC-533: Malicious Manual Software Update

An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.

CAPEC-538: Open-Source Library Manipulation

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

CAPEC-657: Malicious Automated Software Update via Spoofing

An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.

CAPEC-662: Adversary in the Browser (AiTB)

An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.

CAPEC-691: Spoof Open-Source Software Metadata

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

CAPEC-692: Spoof Version Control System Commit Metadata

An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.

CAPEC-693: StarJacking

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

CAPEC-695: Repo Jacking

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.