Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by Atelmo
CVE-2024-9166 (GCVE-0-2024-9166)
Vulnerability from cvelistv5 – Published: 2024-09-26 16:55 – Updated: 2024-09-26 18:23
VLAI
Title
OS Command Injection in Atelmo Atemio AM 520 HD Full HD Satellite Receiver
Summary
The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atelmo | Atemio AM 520 HD Full HD Satellite Receiver |
Affected:
0 , ≤ TitanNit 2.01
(custom)
|
|
| atelmo | atemio_am_520_hd_firmware |
Affected:
0 , ≤ titannit_2.01
(custom)
cpe:2.3:o:atelmo:atemio_am_520_hd_firmware:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:atelmo:atemio_am_520_hd_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "atemio_am_520_hd_firmware",
"vendor": "atelmo",
"versions": [
{
"lessThanOrEqual": "titannit_2.01",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T17:45:19.138785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:23:52.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Atemio AM 520 HD Full HD Satellite Receiver",
"vendor": "Atelmo",
"versions": [
{
"lessThanOrEqual": "TitanNit 2.01",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CISA discovered a public Proof of Concept (PoC) as authored by Gjoko Krstic and reported it to Atelmo."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the \u0027getcommand\u0027 query within the application, allowing the attacker to gain root access.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the \u0027getcommand\u0027 query within the application, allowing the attacker to gain root access."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T16:55:51.242Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-270-03"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAtelmo has stated that this product has been discontinued. There are no service or support addresses that can be contacted.\u003c/p\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.atelmo.com/epages/Atelmo.sf/de_DE/?ObjectPath=/Shops/Atelmo/Categories/Service/Kontakt\"\u003eAtelmo\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Atelmo has stated that this product has been discontinued. There are no service or support addresses that can be contacted.\n\nFor more information, contact Atelmo https://www.atelmo.com/epages/Atelmo.sf/de_DE/ ."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OS Command Injection in Atelmo Atemio AM 520 HD Full HD Satellite Receiver",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-9166",
"datePublished": "2024-09-26T16:55:51.242Z",
"dateReserved": "2024-09-24T19:19:58.951Z",
"dateUpdated": "2024-09-26T18:23:52.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}