CVE-2024-9692 - OpenCVE

VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Vimesa	Vhf\/fm Transmitter Blue Plus

No data.

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01

History

Thu, 24 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vimesa Vimesa vhf\/fm Transmitter Blue Plus
CPEs		cpe:2.3:a:vimesa:vhf\/fm_transmitter_blue_plus:9.7.1:::::::*
Vendors & Products		Vimesa Vimesa vhf\/fm Transmitter Blue Plus
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 24 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
Description		VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.
Title		Improper Access Control in Input in VIMESA VHF/FM Transmitter Blue Plus
Weaknesses		CWE-284
References		https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2024-10-24T16:20:57.274Z

Updated: 2024-10-24T19:53:10.104Z

Reserved: 2024-10-09T14:57:45.229Z

Link: CVE-2024-9692

Vulnrichment

Updated: 2024-10-24T19:53:03.271Z

NVD

Status : Awaiting Analysis

Published: 2024-10-24T17:15:17.953

Modified: 2024-10-25T12:56:07.750

Link: CVE-2024-9692

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9692", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-10-09T14:57:45.229Z", "datePublished": "2024-10-24T16:20:57.274Z", "dateUpdated": "2024-10-24T19:53:10.104Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VHF/FM Transmitter Blue Plus", "vendor": "VIMESA", "versions": [{"status": "affected", "version": "v9.7.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "CISA discovered this report authored by Gjoko Krstic."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.</p><br>"}], "value": "VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-10-24T16:20:57.274Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Access Control in Input in VIMESA VHF/FM Transmitter Blue Plus", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>VIMESA has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.vimesa.es/contactenos/\">VIMESA</a> for additional information.</p><br>\n\n<br>"}], "value": "VIMESA has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact VIMESA https://www.vimesa.es/contactenos/ \u00a0for additional information."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "vimesa", "product": "vhf\\/fm_transmitter_blue_plus", "cpes": ["cpe:2.3:a:vimesa:vhf\\/fm_transmitter_blue_plus:9.7.1:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.7.1", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-24T19:44:00.241326Z", "id": "CVE-2024-9692", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-24T19:53:10.104Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9692", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-24T19:44:00.241326Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vimesa:vhf\\/fm_transmitter_blue_plus:9.7.1:*:*:*:*:*:*:*"], "vendor": "vimesa", "product": "vhf\\/fm_transmitter_blue_plus", "versions": [{"status": "affected", "version": "9.7.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-24T19:53:03.271Z"}}], "cna": {"title": "Improper Access Control in Input in VIMESA VHF/FM Transmitter Blue Plus", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "CISA discovered this report authored by Gjoko Krstic."}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VIMESA", "product": "VHF/FM Transmitter Blue Plus", "versions": [{"status": "affected", "version": "v9.7.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01", "tags": ["government-resource"]}], "workarounds": [{"lang": "en", "value": "VIMESA has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact VIMESA https://www.vimesa.es/contactenos/ \u00a0for additional information.", "supportingMedia": [{"type": "text/html", "value": "<p>VIMESA has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of the affected products are encouraged to contact <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.vimesa.es/contactenos/\">VIMESA</a> for additional information.</p><br>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.", "supportingMedia": [{"type": "text/html", "value": "<p>VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations.</p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-10-24T16:20:57.274Z"}}}, "cveMetadata": {"cveId": "CVE-2024-9692", "state": "PUBLISHED", "dateUpdated": "2024-10-24T19:53:10.104Z", "dateReserved": "2024-10-09T14:57:45.229Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2024-10-24T16:20:57.274Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations."}, {"lang": "es", "value": "El transmisor VHF/FM Blue Plus de VIMESA sufre una vulnerabilidad de denegaci\u00f3n de servicio (DoS). Un atacante no autenticado puede enviar una solicitud HTTP GET no autorizada al endpoint desprotegido 'doreboot' y reiniciar las operaciones del transmisor."}], "id": "CVE-2024-9692", "lastModified": "2024-10-25T12:56:07.750", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-10-24T17:15:17.953", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}