CVE-2024-2257 (GCVE-0-2024-2257)

Vulnerability from cvelistv5 – Published: 2024-05-10 13:26 – Updated: 2024-08-01 19:03
VLAI?
Title
Password Policy Bypass Vulnerability in Digisol Router
Summary
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
Digisol Digisol Router DG-GR1321 Affected: v3.2.02
Create a notification for this product.
Credits
This vulnerability is discovered by Shravan Singh, Ganesh Bakare and Karan Patel from Redfox Cyber Security Inc, Toronto, Canada.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:digisol:dg-gr1321_firmware:3.2.02:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "dg-gr1321_firmware",
            "vendor": "digisol",
            "versions": [
              {
                "status": "affected",
                "version": "3.2.02"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-2257",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-15T15:23:51.477709Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T17:18:02.588Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:03:39.410Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Digisol Router DG-GR1321",
          "vendor": "Digisol",
          "versions": [
            {
              "status": "affected",
              "version": "v3.2.02"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This vulnerability is discovered by Shravan Singh, Ganesh Bakare and Karan Patel from Redfox Cyber Security Inc, Toronto, Canada."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L;  Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\u003c/p\u003e\u003cp\u003eSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.\u003c/p\u003e"
            }
          ],
          "value": "This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L;  Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-05T12:13:59.577Z",
        "orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
        "shortName": "CERT-In"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade Digisol Router firmware to version v3.1.02-240311.\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.digisol.com/firmware/\"\u003ehttps://www.digisol.com/firmware/\u003c/a\u003e\u003cbr\u003e"
            }
          ],
          "value": "Upgrade Digisol Router firmware to version v3.1.02-240311.\n https://www.digisol.com/firmware/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Password Policy Bypass Vulnerability in Digisol Router",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
    "assignerShortName": "CERT-In",
    "cveId": "CVE-2024-2257",
    "datePublished": "2024-05-10T13:26:08.205Z",
    "dateReserved": "2024-03-07T09:46:47.485Z",
    "dateUpdated": "2024-08-01T19:03:39.410Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T19:03:39.410Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-2257\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-15T15:23:51.477709Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:digisol:dg-gr1321_firmware:3.2.02:*:*:*:*:*:*:*\"], \"vendor\": \"digisol\", \"product\": \"dg-gr1321_firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.2.02\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-15T15:23:29.081Z\"}}], \"cna\": {\"title\": \"Password Policy Bypass Vulnerability in Digisol Router\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This vulnerability is discovered by Shravan Singh, Ganesh Bakare and Karan Patel from Redfox Cyber Security Inc, Toronto, Canada.\"}], \"affected\": [{\"vendor\": \"Digisol\", \"product\": \"Digisol Router DG-GR1321\", \"versions\": [{\"status\": \"affected\", \"version\": \"v3.2.02\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade Digisol Router firmware to version v3.1.02-240311.\\n https://www.digisol.com/firmware/\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade Digisol Router firmware to version v3.1.02-240311.\u003cbr\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://www.digisol.com/firmware/\\\"\u003ehttps://www.digisol.com/firmware/\u003c/a\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0158\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L;  Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\\n\\nSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThis vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L;  Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.\u003c/p\u003e\u003cp\u003eSuccessful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"66834db9-ab24-42b4-be80-296b2e40335c\", \"shortName\": \"CERT-In\", \"dateUpdated\": \"2024-06-05T12:13:59.577Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-2257\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T19:03:39.410Z\", \"dateReserved\": \"2024-03-07T09:46:47.485Z\", \"assignerOrgId\": \"66834db9-ab24-42b4-be80-296b2e40335c\", \"datePublished\": \"2024-05-10T13:26:08.205Z\", \"assignerShortName\": \"CERT-In\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.