CVE-2024-8258 - Vulnerability Details

- Insecure Electron Fuses in Logitech Options Plus Allowing Arbitrary Code Execution on macOS

Description

Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.

Published: 2024-09-10

Score: 2 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Logitech

Logitech Options Plus

unaffected

Version	Status	Constraints
`1.60.496306`	affected	< 1.70
`1.70`	unaffected	—

Configuration 1 [-]

AND

cpe:2.3:a:logitech:logi_options\+:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update to Logitech Options Plus version 1.70 or later.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-49051	Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/r3ggi/electroniz3r
https://nvd.nist.gov/vuln/detail/CVE-2023-49314
https://nvd.nist.gov/vuln/detail/CVE-2023-50643
https://www.electronjs.org/docs/latest/tutorial/fuses

History

Fri, 27 Sep 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Logitech logi Options\+
CPEs		cpe:2.3:a:logitech:logi_options\+:::::::: cpe:2.3:o:apple:macos:-:::::::*
Vendors & Products		Apple Apple macos Logitech logi Options\+
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 10 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Logitech Logitech options Plus
CPEs		cpe:2.3:a:logitech:options_plus::::::::
Vendors & Products		Logitech Logitech options Plus
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Sep 2024 08:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration.
Title		Insecure Electron Fuses in Logitech Options Plus Allowing Arbitrary Code Execution on macOS
Weaknesses		CWE-94
References		https://github.com/r3ggi/electroniz3r https://nvd.nist.gov/vuln/detail/CVE-2023-49314 https://nvd.nist.gov/vuln/detail/CVE-2023-50643 https://www.electronjs.org/docs/latest/tutorial/fuses
Metrics		cvssV4_0 `{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/AU:Y/R:U'}`

Subscriptions

Apple Macos

Logitech Logi Options\+ Options Plus

MITRE

Status: PUBLISHED

Assigner: Logitech

Published: 2024-09-10T08:36:34.326Z

Updated: 2024-09-10T13:56:50.325Z

Reserved: 2024-08-28T08:47:03.078Z

Link: CVE-2024-8258

Vulnrichment

Updated: 2024-09-10T13:56:39.621Z

NVD

Status : Analyzed

Published: 2024-09-10T09:15:07.497

Modified: 2024-09-27T18:56:41.140

Link: CVE-2024-8258

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-94

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object