github - ghsa-qc4v-92xf-xp3m

GHSA-QC4V-92XF-XP3M

Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 15:31

Details

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker with access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the modem.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-6198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-25T13:15:42Z",
    "severity": "HIGH"
  },
  "details": "The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the\u00a0\u201cSNORE\u201d interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker\nwith access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the\u00a0modem.",
  "id": "GHSA-qc4v-92xf-xp3m",
  "modified": "2025-04-25T15:31:21Z",
  "published": "2025-04-25T15:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6198"
    },
    {
      "type": "WEB",
      "url": "https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2024-6198 (GCVE-0-2024-6198)

Vulnerability from cvelistv5 – Published: 2025-04-25 13:02 – Updated: 2025-05-08 03:56

Summary

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

ONEKEY

References

URL

Tags

https://www.onekey.com/resource/security-advisory…

third-party-advisorytechnical-description

Impacted products

Vendor

Product

Version

ViaSat

RM4100

Affected: 0 , < 3.8.0.4 (semver)

Viasat	RM4200	Affected: 0 , < 3.8.0.4 (semver)
Viasat	EM4100	Affected: 0 , < 3.8.0.4 (semver)
Viasat	RM5110	Affected: 0 , ≤ 4.3.0.1 (semver)
Viasat	RM5111	Affected: 0 , ≤ 4.3.0.1 (semver)
Viasat	RG1000	Affected: 0 , ≤ 4.3.0.1 (semver)
Viasat	RG1100	Affected: 0 , ≤ 4.3.0.1 (semver)
Viasat	EG1000	Affected: 0 , ≤ 4.3.0.1 (semver)
Viasat	EG1020	Affected: 0 , ≤ 4.3.0.1 (semver)

Credits

Quentin Kaiser from ONEKEY Research Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6198",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-07T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-08T03:56:03.465Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RM4100",
          "vendor": "ViaSat",
          "versions": [
            {
              "lessThan": "3.8.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RM4200",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThan": "3.8.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EM4100",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThan": "3.8.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RM5110",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThanOrEqual": "4.3.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RM5111",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThanOrEqual": "4.3.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RG1000",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThanOrEqual": "4.3.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "RG1100",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThanOrEqual": "4.3.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG1000",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThanOrEqual": "4.3.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG1020",
          "vendor": "Viasat",
          "versions": [
            {
              "lessThanOrEqual": "4.3.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Quentin Kaiser from ONEKEY Research Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the\u0026nbsp;\u201cSNORE\u201d interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker\u003cbr\u003ewith access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the\u0026nbsp;modem."
            }
          ],
          "value": "The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the\u00a0\u201cSNORE\u201d interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker\nwith access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the\u00a0modem."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-25T13:02:43.673Z",
        "orgId": "2d533b80-6e4a-4e20-93e2-171235122846",
        "shortName": "ONEKEY"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "technical-description"
          ],
          "url": "https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Make sure your devices are online so they can receive the automated update from Viasat. Make sure your device received the update by getting the running version using the administrative interface."
            }
          ],
          "value": "Make sure your devices are online so they can receive the automated update from Viasat. Make sure your device received the update by getting the running version using the administrative interface."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-05-13T09:13:00.000Z",
          "value": "Initial coordinated vulnerability disclosure request"
        },
        {
          "lang": "en",
          "time": "2024-05-28T07:15:00.000Z",
          "value": "Report sent to ViaSat"
        },
        {
          "lang": "en",
          "time": "2024-06-19T14:00:00.000Z",
          "value": "Call between ViaSat and ONEKEY for vulnerability assessment"
        },
        {
          "lang": "en",
          "time": "2025-04-25T13:00:00.000Z",
          "value": "Coordinated disclosure by ONEKEY and Viasat"
        }
      ],
      "title": "SNORE Interface Unauthenticated Remote Code Execution",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2d533b80-6e4a-4e20-93e2-171235122846",
    "assignerShortName": "ONEKEY",
    "cveId": "CVE-2024-6198",
    "datePublished": "2025-04-25T13:02:43.673Z",
    "dateReserved": "2024-06-20T09:18:03.225Z",
    "dateUpdated": "2025-05-08T03:56:03.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-QC4V-92XF-XP3M

CVE-2024-6198 (GCVE-0-2024-6198)

Tags

Sightings

Nomenclature