CVE-2024-38280 - OpenCVE

An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Motorolasolutions	Vigilant Fixed Lpr Coms Box

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-06-13T17:05:58.531Z

Updated: 2024-08-02T04:04:25.205Z

Reserved: 2024-06-12T16:16:09.648Z

Link: CVE-2024-38280

Vulnrichment

Updated: 2024-07-05T20:35:43.342Z

NVD

Status : Awaiting Analysis

Published: 2024-06-13T17:15:51.477

Modified: 2024-06-13T18:35:19.777

Link: CVE-2024-38280

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38280", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-06-12T16:16:09.648Z", "datePublished": "2024-06-13T17:05:58.531Z", "dateUpdated": "2024-08-02T04:04:25.205Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Vigilant Fixed LPR Coms Box (BCAV1F2-C600)", "vendor": "Motorola Solutions", "versions": [{"lessThanOrEqual": "3.1.171.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "The Michigan State Police Michigan Cyber Command Center (MC3)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.</p><br>\n\n"}], "value": "An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "baseScore": 7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-313", "description": "CWE-313: Cleartext Storage in a File or on Disk", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-06-13T17:05:58.531Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>\n\n</p><p>Motorola Solutions recommends the following for each identified vulnerability:</p><p></p><p>CVE-2024-38280:</p><ul><li>Apply encryption to all Criminal Justice Information (CJI) data.</li><li>Apply full disk encryption with LUKS encryption standards and add password protection<br>to the GRUB Bootloader.</li><li>Perform column-level encryption for sensitive data in the database.</li></ul><p>All devices shipped after May 10, 2024 are already using full disk encryption. All devices that<br>are not able to have full disk encryption applied have had all CJI data encrypted. No further<br>actions are required by customers.</p>\n\n<br>"}], "value": "Motorola Solutions recommends the following for each identified vulnerability:\n\n\n\nCVE-2024-38280:\n\n * Apply encryption to all Criminal Justice Information (CJI) data.\n * Apply full disk encryption with LUKS encryption standards and add password protection\nto the GRUB Bootloader.\n * Perform column-level encryption for sensitive data in the database.\n\n\nAll devices shipped after May 10, 2024 are already using full disk encryption. All devices that\nare not able to have full disk encryption applied have had all CJI data encrypted. No further\nactions are required by customers."}], "source": {"discovery": "UNKNOWN"}, "title": "Cleartext Storage in a File or on Disk in Motorola Solutions Vigilant Fixed LPR Coms Box (BCAV1F2-C600)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "motorolasolutions", "product": "vigilant_fixed_lpr_coms_box", "cpes": ["cpe:2.3:a:motorolasolutions:vigilant_fixed_lpr_coms_box:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.171.9", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-27T20:16:58.305340Z", "id": "CVE-2024-38280", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T19:50:06.502Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:04:25.205Z"}, "title": "CVE Program Container", "references": [{"tags": ["government-resource", "x_transferred"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38280", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-27T20:16:58.305340Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:motorolasolutions:vigilant_fixed_lpr_coms_box:*:*:*:*:*:*:*:*"], "vendor": "motorolasolutions", "product": "vigilant_fixed_lpr_coms_box", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1.171.9"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:35:43.342Z"}}], "cna": {"title": "Cleartext Storage in a File or on Disk in Motorola Solutions Vigilant Fixed LPR Coms Box (BCAV1F2-C600)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "The Michigan State Police Michigan Cyber Command Center (MC3)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Motorola Solutions", "product": "Vigilant Fixed LPR Coms Box (BCAV1F2-C600)", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1.171.9"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Motorola Solutions recommends the following for each identified vulnerability:\n\n\n\nCVE-2024-38280:\n\n * Apply encryption to all Criminal Justice Information (CJI) data.\n * Apply full disk encryption with LUKS encryption standards and add password protection\nto the GRUB Bootloader.\n * Perform column-level encryption for sensitive data in the database.\n\n\nAll devices shipped after May 10, 2024 are already using full disk encryption. All devices that\nare not able to have full disk encryption applied have had all CJI data encrypted. No further\nactions are required by customers.", "supportingMedia": [{"type": "text/html", "value": "\n\n<p>\n\n</p><p>Motorola Solutions recommends the following for each identified vulnerability:</p><p></p><p>CVE-2024-38280:</p><ul><li>Apply encryption to all Criminal Justice Information (CJI) data.</li><li>Apply full disk encryption with LUKS encryption standards and add password protection<br>to the GRUB Bootloader.</li><li>Perform column-level encryption for sensitive data in the database.</li></ul><p>All devices shipped after May 10, 2024 are already using full disk encryption. All devices that<br>are not able to have full disk encryption applied have had all CJI data encrypted. No further<br>actions are required by customers.</p>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.", "supportingMedia": [{"type": "text/html", "value": "\n\n<p>An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.</p><br>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-313", "description": "CWE-313: Cleartext Storage in a File or on Disk"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-06-13T17:05:58.531Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38280", "state": "PUBLISHED", "dateUpdated": "2024-07-08T19:50:06.502Z", "dateReserved": "2024-06-12T16:16:09.648Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-06-13T17:05:58.531Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text."}, {"lang": "es", "value": "Un usuario no autorizado puede obtener acceso a datos confidenciales, incluidas las credenciales, recuperando f\u00edsicamente el disco duro del producto, ya que los datos se almacenan en texto plano."}], "id": "CVE-2024-38280", "lastModified": "2024-06-13T18:35:19.777", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-06-13T17:15:51.477", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-19"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-313"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}