{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-06T19:00:26.393Z", "datePublished": "2024-11-11T19:10:48.919Z", "dateUpdated": "2024-11-12T14:48:17.830Z"}, "containers": {"cna": {"title": "RMAC revert to the beginning of the session in libosdp", "problemTypes": [{"descriptions": [{"cweId": "CWE-924", "lang": "en", "description": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm"}, {"name": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a", "tags": ["x_refsource_MISC"], "url": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a"}], "affected": [{"vendor": "goToMain", "product": "libosdp", "versions": [{"version": "< 3.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-11T19:10:48.919Z"}, "descriptions": [{"lang": "en", "value": "libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. In affected versions an unexpected `REPLY_CCRYPT` or `REPLY_RMAC_I` may be introduced into an active stream when they should not be. Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it. While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reader) Once attacker captures a session with the message to be replayed, he stops resetting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotely to the MIMT device or setting a specific timing). In order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the beginning of the session. At that phase - attacker can replay all the messages from the beginning of the session. This issue has been addressed in commit `298576d9` which is included in release version 3.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-xhjw-7vh5-qxqm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-12T14:48:07.852440Z", "id": "CVE-2024-52288", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T14:48:17.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52288", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-12T14:48:07.852440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T14:48:13.443Z"}}], "cna": {"title": "RMAC revert to the beginning of the session in libosdp", "source": {"advisory": "GHSA-xhjw-7vh5-qxqm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "goToMain", "product": "libosdp", "versions": [{"status": "affected", "version": "< 3.0.0"}]}], "references": [{"url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm", "name": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a", "name": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. In affected versions an unexpected `REPLY_CCRYPT` or `REPLY_RMAC_I` may be introduced into an active stream when they should not be. Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it. While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reader) Once attacker captures a session with the message to be replayed, he stops resetting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotely to the MIMT device or setting a specific timing). In order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the beginning of the session. At that phase - attacker can replay all the messages from the beginning of the session. This issue has been addressed in commit `298576d9` which is included in release version 3.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-924", "description": "CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-11T19:10:48.919Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52288", "state": "PUBLISHED", "dateUpdated": "2024-11-12T14:48:17.830Z", "dateReserved": "2024-11-06T19:00:26.393Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-11T19:10:48.919Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. In affected versions an unexpected `REPLY_CCRYPT` or `REPLY_RMAC_I` may be introduced into an active stream when they should not be. Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it. While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reader) Once attacker captures a session with the message to be replayed, he stops resetting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotely to the MIMT device or setting a specific timing). In order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the beginning of the session. At that phase - attacker can replay all the messages from the beginning of the session. This issue has been addressed in commit `298576d9` which is included in release version 3.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "libosdp es una implementaci\u00f3n de IEC 60839-11-5 OSDP (Open Supervised Device Protocol) y proporciona una librer\u00eda C con soporte para C++, Rust y Python3. En las versiones afectadas, se puede introducir un `REPLY_CCRYPT` o `REPLY_RMAC_I` inesperado en un flujo activo cuando no deber\u00eda ser as\u00ed. Una vez que se puede enviar un mensaje RMAC_I durante una sesi\u00f3n, el atacante con acceso MITM a la comunicaci\u00f3n puede interceptar la respuesta RMAC_I original y guardarla. Mientras la sesi\u00f3n contin\u00faa, el atacante registrar\u00e1 todas las respuestas y las guardar\u00e1, hasta capturar el mensaje a ser respondido (se puede detectar por ID, longitud o tiempo en funci\u00f3n de la inspecci\u00f3n de la actividad visual junto al lector). Una vez que el atacante captura una sesi\u00f3n con el mensaje a ser reproducido, deja de restablecer la conexi\u00f3n y espera la se\u00f1al para realizar la reproducci\u00f3n del mensaje PD a CP (por ejemplo: se\u00f1alando remotamente al dispositivo MIMT o estableciendo un tiempo espec\u00edfico). Para poder reproducir, el atacante crear\u00e1 un mensaje RMAC_I espec\u00edfico en la secuencia adecuada de ejecuci\u00f3n, lo que har\u00e1 que el RMAC vuelva al principio de la sesi\u00f3n. En esa fase, el atacante puede reproducir todos los mensajes desde el principio de la sesi\u00f3n. Este problema se ha solucionado en el commit `298576d9`, que se incluye en la versi\u00f3n de lanzamiento 3.0.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-52288", "lastModified": "2024-11-12T13:55:21.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-11T20:15:20.013", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/goToMain/libosdp/commit/298576d9214b48214092eebdd892ec77be085e5a"}, {"source": "security-advisories@github.com", "url": "https://github.com/goToMain/libosdp/security/advisories/GHSA-xhjw-7vh5-qxqm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-924"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}