CVE-2024-22472 - Vulnerability Details - OpenCVE

Description

A buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution

This issue affects all versions of Silicon Labs 500 Series SDK prior to v6.85.2

running on Silicon Labs 500 series Z-wave devices.

Published: 2024-05-07

Score: 8.1 High

EPSS: 4.1% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Silicon Labs

Z-Wave SDK

unaffected

Version	Status	Constraints
`0`	affected	< 6.85.2

No data.

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-20016	A buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution This issue affects all versions of Silicon Labs 500 Series SDK prior to v6.85.2 running on Silicon Labs 500 series Z-wave devices.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.041.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://community.silabs.com/068Vm000004rZwm

History

No history.

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Silabs

Published: 2024-05-07T05:17:26.626Z

Updated: 2024-08-01T22:51:09.827Z

Reserved: 2024-01-10T19:20:24.393Z

Link: CVE-2024-22472

Vulnrichment

Updated: 2024-08-01T22:51:09.827Z

NVD

Status : Deferred

Published: 2024-05-07T06:15:07.410

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-22472

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-120

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22472", "assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4", "state": "PUBLISHED", "assignerShortName": "Silabs", "dateReserved": "2024-01-10T19:20:24.393Z", "datePublished": "2024-05-07T05:17:26.626Z", "dateUpdated": "2024-08-01T22:51:09.827Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Z-Wave SDK", "500 Series Z-Wave Devices"], "platforms": ["ARM"], "product": "Z-Wave SDK", "repo": "https://github.com/SiliconLabs/gecko_sdk/releases", "vendor": "Silicon Labs", "versions": [{"lessThan": "6.85.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>A buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution</p><p>This issue affects all versions of Silicon Labs <span style=\"background-color: rgb(255, 255, 255);\">500 Series SDK prior to v6.85.2</span>\n\nrunning on Silicon Labs 500 series Z-wave devices.</p>\n\n<p></p>"}], "value": "\nA buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution\n\nThis issue affects all versions of Silicon Labs\u00a0500 Series SDK prior to v6.85.2\n\nrunning on Silicon Labs 500 series Z-wave devices.\n\n"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}, {"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4", "shortName": "Silabs", "dateUpdated": "2024-05-07T05:17:26.626Z"}, "references": [{"url": "https://community.silabs.com/068Vm000004rZwm"}], "source": {"discovery": "UNKNOWN"}, "title": "Long S0 frames received by 500 series Z-Wave devices may cause buffer overflow", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22472", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-08T15:45:43.968246Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:silabs:z-wave_software_development_kit:-:*:*:*:*:*:*:*"], "vendor": "silabs", "product": "z-wave_software_development_kit", "versions": [{"status": "affected", "version": "0", "lessThan": "6.85.2", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:52:56.713Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:51:09.827Z"}, "title": "CVE Program Container", "references": [{"url": "https://community.silabs.com/068Vm000004rZwm", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://community.silabs.com/068Vm000004rZwm", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:51:09.827Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22472", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-08T15:45:43.968246Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:silabs:z-wave_software_development_kit:-:*:*:*:*:*:*:*"], "vendor": "silabs", "product": "z-wave_software_development_kit", "versions": [{"status": "affected", "version": "0", "lessThan": "6.85.2", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-08T15:45:17.499Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Long S0 frames received by 500 series Z-Wave devices may cause buffer overflow", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}, {"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/SiliconLabs/gecko_sdk/releases", "vendor": "Silicon Labs", "modules": ["Z-Wave SDK", "500 Series Z-Wave Devices"], "product": "Z-Wave SDK", "versions": [{"status": "affected", "version": "0", "lessThan": "6.85.2", "versionType": "semver"}], "platforms": ["ARM"], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.silabs.com/068Vm000004rZwm"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nA buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution\n\nThis issue affects all versions of Silicon Labs\u00a0500 Series SDK prior to v6.85.2\n\nrunning on Silicon Labs 500 series Z-wave devices.\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<p>A buffer Overflow vulnerability in Silicon Labs 500 Series Z-Wave devices may allow Denial of Service, and potential Remote Code execution</p><p>This issue affects all versions of Silicon Labs <span style=\"background-color: rgb(255, 255, 255);\">500 Series SDK prior to v6.85.2</span>\n\nrunning on Silicon Labs 500 series Z-wave devices.</p>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4", "shortName": "Silabs", "dateUpdated": "2024-05-07T05:17:26.626Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22472", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:51:09.827Z", "dateReserved": "2024-01-10T19:20:24.393Z", "assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4", "datePublished": "2024-05-07T05:17:26.626Z", "assignerShortName": "Silabs"}, "dataVersion": "5.1"}