ГлавнаяУязвимости → CVE-2024-47943
9.8критическая

CVE-2024-47943

Описание

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the firmware and is freely available for download. This allows crafting malicious "signed" .patch files in order to compromise the device and execute arbitrary code.

CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://r.sec-consult.com/rittaliothttps://www.rittal.com/de-de/products/deep/3124300http://seclists.org/fulldisclosure/2024/Oct/4