CVE-2024-5558 - Vulnerability Details - OpenCVE

Description

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could
cause escalation of privileges when an attacker abuses a limited admin account.

Published: 2024-06-12

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Schneider Electric

SpaceLogic AS-P

unaffected

Version	Status	Constraints
`V5.0.3 and prior`	affected	—

Schneider Electric

SpaceLogic AS-B

unaffected

Version	Status	Constraints
`V5.0.3 and prior`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:schneider-electric:spacelogic_as-b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:spacelogic_as-b:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:schneider-electric:spacelogic_as-p_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:schneider-electric:spacelogic_as-p:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-46757	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could cause escalation of privileges when an attacker abuses a limited admin account.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf

History

No history.

Subscriptions

Schneider-electric Spacelogic As-b Spacelogic As-b Firmware Spacelogic As-p Spacelogic As-p Firmware

MITRE

Status: PUBLISHED

Assigner: schneider

Published: 2024-06-12T16:26:26.294Z

Updated: 2024-08-01T21:18:06.335Z

Reserved: 2024-05-31T06:58:47.453Z

Link: CVE-2024-5558

Vulnrichment

Updated: 2024-08-01T21:18:06.335Z

NVD

Status : Modified

Published: 2024-06-12T17:15:52.160

Modified: 2024-11-21T09:47:55.700

Link: CVE-2024-5558

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-367

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5558", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "state": "PUBLISHED", "assignerShortName": "schneider", "dateReserved": "2024-05-31T06:58:47.453Z", "datePublished": "2024-06-12T16:26:26.294Z", "dateUpdated": "2024-08-01T21:18:06.335Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SpaceLogic AS-P", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}]}, {"defaultStatus": "unaffected", "product": "SpaceLogic AS-B", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nCWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account.\n\n"}], "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:26:26.294Z"}, "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "schneider-electric", "product": "spacelogic_as-b", "cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-b:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "custom"}]}, {"vendor": "schneider-electric", "product": "spacelogic_as-p", "cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-p:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T18:07:10.554620Z", "id": "CVE-2024-5558", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T16:20:36.411Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.335Z"}, "title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.335Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5558", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-12T18:07:10.554620Z"}}}], "affected": [{"cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-b:*:*:*:*:*:*:*:*"], "vendor": "schneider-electric", "product": "spacelogic_as-b", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:h:schneider-electric:spacelogic_as-p:*:*:*:*:*:*:*:*"], "vendor": "schneider-electric", "product": "spacelogic_as-p", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.0.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:07:04.758Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schneider Electric", "product": "SpaceLogic AS-P", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Schneider Electric", "product": "SpaceLogic AS-B", "versions": [{"status": "affected", "version": "V5.0.3 and prior"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account.", "supportingMedia": [{"type": "text/html", "value": "\n\nCWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account.\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "shortName": "schneider", "dateUpdated": "2024-06-12T16:26:26.294Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5558", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:06.335Z", "dateReserved": "2024-05-31T06:58:47.453Z", "assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb", "datePublished": "2024-06-12T16:26:26.294Z", "assignerShortName": "schneider"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:spacelogic_as-b_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BD47138-7C8F-4D8B-A669-74395596363D", "versionEndExcluding": "6.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:spacelogic_as-b:-:*:*:*:*:*:*:*", "matchCriteriaId": "A50B62A0-A6FB-4AB4-94A0-D054C5ADB015", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:schneider-electric:spacelogic_as-p_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA1ABCFA-8D7D-4288-AA9F-FF1B177DBB4E", "versionEndExcluding": "6.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:schneider-electric:spacelogic_as-p:-:*:*:*:*:*:*:*", "matchCriteriaId": "E516910C-FC39-46FA-82A5-0BF3546FDF33", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could\ncause escalation of privileges when an attacker abuses a limited admin account."}, {"lang": "es", "value": "CWE-367: Existe una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n de tiempo de verificaci\u00f3n y tiempo de uso (TOCTOU) que podr\u00eda provocar una escalada de privilegios cuando un atacante abusa de una cuenta de administrador limitada."}], "id": "CVE-2024-5558", "lastModified": "2024-11-21T09:47:55.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "cybersecurity@se.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-12T17:15:52.160", "references": [{"source": "cybersecurity@se.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-04.pdf"}], "sourceIdentifier": "cybersecurity@se.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "cybersecurity@se.com", "type": "Secondary"}]}