Improper Verification of Cryptographic Signature in Halo9 - CVE-2024-23960

 

Improper Verification of Cryptographic Signature in Halo9 - CVE-2024-23960

Published: June 26, 2024


Vulnerability identifier: #VU93363
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23960
CWE-ID: CWE-347
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Alpine
Affected software:
Halo9

Detailed vulnerability description

The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to improper verification of cryptographic signature within the firmware metadata signature validation mechanism. An attacker with physical access can bypass signature validation mechanism on the target device.


How to mitigate CVE-2024-23960

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources