CVE-2024-51720 (GCVE-0-2024-51720)

Vulnerability from cvelistv5 – Published: 2024-11-12 18:01 – Updated: 2025-09-11 20:22
VLAI?
Title
Vulnerabilities in SecuSUITE Server Components Impact SecuSUITE
Summary
An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number.
Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
  • CWE-334 - Small Space of Random Values
Assigner
References
Impacted products
Vendor Product Version
BlackBerry SecuSUITE Affected: 5.0.420
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51720",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T21:38:30.257463Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T21:38:39.845Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "SecuSUITE Secure Client Authentication"
          ],
          "product": "SecuSUITE",
          "vendor": "BlackBerry",
          "versions": [
            {
              "status": "affected",
              "version": "5.0.420"
            }
          ]
        }
      ],
      "datePublic": "2024-11-12T17:35:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003en insufficient entropy vul\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003enerability \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein the \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSecuSUITE\u003c/span\u003e \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSecure Client Authentication (SCA) Server \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eof \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSecuSUITE\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e version\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003es\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e 5.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e0.420 and earlie\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003er could allow an \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eattacker to potentially \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eenroll an attacker-controlled device to the victim\u2019s account and telephone number.\u003c/span\u003e\u0026nbsp;"
            }
          ],
          "value": "An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim\u2019s account and telephone number."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-49",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-49 Password Brute Forcing"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-334",
              "description": "CWE-334 Small Space of Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-11T20:22:23.080Z",
        "orgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c",
        "shortName": "blackberry"
      },
      "references": [
        {
          "url": "https://support.blackberry.com/pkb/s/article/140220"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Vulnerabilities in SecuSUITE Server Components Impact SecuSUITE",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dbe78b00-5e7b-4fda-8748-329789ecfc5c",
    "assignerShortName": "blackberry",
    "cveId": "CVE-2024-51720",
    "datePublished": "2024-11-12T18:01:49.411Z",
    "dateReserved": "2024-10-30T17:19:06.485Z",
    "dateUpdated": "2025-09-11T20:22:23.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim\\u2019s account and telephone number.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de entrop\\u00eda insuficiente en SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE de las versiones 5.0.420 y anteriores, podr\\u00eda permitir que un atacante registre potencialmente un dispositivo controlado por el atacante en la cuenta y el n\\u00famero de tel\\u00e9fono de la v\\u00edctima.\"}]",
      "id": "CVE-2024-51720",
      "lastModified": "2024-11-13T17:01:58.603",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"secure@blackberry.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 2.5}]}",
      "published": "2024-11-12T18:15:46.693",
      "references": "[{\"url\": \"https://support.blackberry.com/pkb/s/article/140220\", \"source\": \"secure@blackberry.com\"}]",
      "sourceIdentifier": "secure@blackberry.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"secure@blackberry.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-307\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51720\",\"sourceIdentifier\":\"secure@blackberry.com\",\"published\":\"2024-11-12T18:15:46.693\",\"lastModified\":\"2025-09-11T21:15:33.043\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim\u2019s account and telephone number.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de entrop\u00eda insuficiente en SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE de las versiones 5.0.420 y anteriores, podr\u00eda permitir que un atacante registre potencialmente un dispositivo controlado por el atacante en la cuenta y el n\u00famero de tel\u00e9fono de la v\u00edctima.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@blackberry.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"secure@blackberry.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"},{\"lang\":\"en\",\"value\":\"CWE-334\"}]}],\"references\":[{\"url\":\"https://support.blackberry.com/pkb/s/article/140220\",\"source\":\"secure@blackberry.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51720\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-12T21:38:30.257463Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-12T21:38:36.144Z\"}}], \"cna\": {\"title\": \"Vulnerabilities in SecuSUITE Server Components Impact SecuSUITE\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-49\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-49 Password Brute Forcing\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"BlackBerry\", \"modules\": [\"SecuSUITE Secure Client Authentication\"], \"product\": \"SecuSUITE\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.0.420\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-11-12T17:35:00.000Z\", \"references\": [{\"url\": \"https://support.blackberry.com/pkb/s/article/140220\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim\\u2019s account and telephone number.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003en insufficient entropy vul\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003enerability \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ein the \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSecuSUITE\u003c/span\u003e \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSecure Client Authentication (SCA) Server \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eof \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSecuSUITE\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e version\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003es\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e 5.\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e0.420 and earlie\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003er could allow an \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eattacker to potentially \u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eenroll an attacker-controlled device to the victim\\u2019s account and telephone number.\u003c/span\u003e\u0026nbsp;\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307 Improper Restriction of Excessive Authentication Attempts\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-334\", \"description\": \"CWE-334 Small Space of Random Values\"}]}], \"providerMetadata\": {\"orgId\": \"dbe78b00-5e7b-4fda-8748-329789ecfc5c\", \"shortName\": \"blackberry\", \"dateUpdated\": \"2025-09-11T20:22:23.080Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51720\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-11T20:22:23.080Z\", \"dateReserved\": \"2024-10-30T17:19:06.485Z\", \"assignerOrgId\": \"dbe78b00-5e7b-4fda-8748-329789ecfc5c\", \"datePublished\": \"2024-11-12T18:01:49.411Z\", \"assignerShortName\": \"blackberry\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.