Details of VAR-202404-0324

ID

VAR-202404-0324

CVE

CVE-2024-4124

TITLE

Shenzhen Tenda Technology Co.,Ltd. of W15E Out-of-bounds write vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2024-016543

DESCRIPTION

A vulnerability, which was classified as critical, was found in Tenda W15E 15.11.0.14. This affects the function formSetRemoteWebManage of the file /goform/SetRemoteWebManage. The manipulation of the argument remoteIP leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261867. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Shenzhen Tenda Technology Co.,Ltd. of W15E An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability is caused by the remoteIP parameter of the formSetRemoteWebManage method of the /goform/SetRemoteWebManage file failing to correctly verify the length of the input data. Remote attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial of service attack

Trust: 2.16

sources: NVD: CVE-2024-4124 // JVNDB: JVNDB-2024-016543 // CNVD: CNVD-2024-24730

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-24730

AFFECTED PRODUCTS

vendor:	tenda	model:	w15e	scope:	eq	version:	15.11.0.14	Trust: 1.0
vendor:	tenda	model:	w15e	scope:	eq	version:	-	Trust: 0.8
vendor:	tenda	model:	w15e	scope:	eq	version:	w15e firmware 15.11.0.14	Trust: 0.8
vendor:	tenda	model:	w15e	scope:	-	version:	-	Trust: 0.8
vendor:	jixiang tengda	model:	w15e	scope:	eq	version:	15.11.0.14	Trust: 0.6

sources: CNVD: CNVD-2024-24730 // JVNDB: JVNDB-2024-016543 // NVD: CVE-2024-4124

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2024-4124
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-4124
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-016543
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-24730
value:	HIGH
Trust: 0.6

cna@vuldb.com:	CVE-2024-4124
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2024-016543
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2024-24730
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2024-4124
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	JVNDB-2024-016543
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-24730 // JVNDB: JVNDB-2024-016543 // NVD: CVE-2024-4124 // NVD: CVE-2024-4124

PROBLEMTYPE DATA

problemtype:	CWE-121	Trust: 1.0
problemtype:	CWE-787	Trust: 1.0
problemtype:	Stack-based buffer overflow (CWE-121) [ others ]	Trust: 0.8
problemtype:	Out-of-bounds writing (CWE-787) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-016543 // NVD: CVE-2024-4124

PATCH

title:

Patch for Shenzhen Jixiang Tengda Technology Co., Ltd. W15E formSetRemoteWebManage method buffer overflow vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/547351

Trust: 0.6

sources: CNVD: CNVD-2024-24730

EXTERNAL IDS

db:	NVD	id:	CVE-2024-4124	Trust: 3.2
db:	VULDB	id:	261867	Trust: 2.4
db:	JVNDB	id:	JVNDB-2024-016543	Trust: 0.8
db:	CNVD	id:	CNVD-2024-24730	Trust: 0.6

sources: CNVD: CNVD-2024-24730 // JVNDB: JVNDB-2024-016543 // NVD: CVE-2024-4124

REFERENCES

url:	https://vuldb.com/?id.261867	Trust: 2.4
url:	https://github.com/abcdefg-png/iot-vulnerable/blob/main/tenda/w15ev1.0/formsetremotewebmanage.md	Trust: 1.8
url:	https://vuldb.com/?submit.317829	Trust: 1.8
url:	https://vuldb.com/?ctiid.261867	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-4124	Trust: 0.8

sources: CNVD: CNVD-2024-24730 // JVNDB: JVNDB-2024-016543 // NVD: CVE-2024-4124

SOURCES

db:	CNVD	id:	CNVD-2024-24730
db:	JVNDB	id:	JVNDB-2024-016543
db:	NVD	id:	CVE-2024-4124

LAST UPDATE DATE

2025-01-18T23:00:15.502000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-24730	date:	2024-05-29T00:00:00
db:	JVNDB	id:	JVNDB-2024-016543	date:	2025-01-16T03:30:00
db:	NVD	id:	CVE-2024-4124	date:	2025-01-15T18:43:47.577

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-24730	date:	2024-05-23T00:00:00
db:	JVNDB	id:	JVNDB-2024-016543	date:	2025-01-16T00:00:00
db:	NVD	id:	CVE-2024-4124	date:	2024-04-24T19:15:47.527