CVE-2024-33896

Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3.
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:hms-networks:ewon_cosy\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:ewon_cosy\+_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:hms-networks:ewon_cosy\+_4g_apac:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_eu:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_jp:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_na:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_ethernet:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_wifi:-:*:*:*:*:*:*:*

History

03 Sep 2024, 19:02

Type Values Removed Values Added
CPE cpe:2.3:h:hms-networks:ewon_cosy\+_ethernet:-:*:*:*:*:*:*:*
cpe:2.3:o:hms-networks:ewon_cosy\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_eu:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_wifi:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_na:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_jp:-:*:*:*:*:*:*:*
cpe:2.3:h:hms-networks:ewon_cosy\+_4g_apac:-:*:*:*:*:*:*:*
First Time Hms-networks ewon Cosy\+ 4g Na
Hms-networks ewon Cosy\+ Wifi
Hms-networks ewon Cosy\+ 4g Apac
Hms-networks ewon Cosy\+ 4g Jp
Hms-networks ewon Cosy\+ Firmware
Hms-networks ewon Cosy\+ 4g Eu
Hms-networks ewon Cosy\+ Ethernet
Hms-networks
References () https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ - () https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ - Exploit, Third Party Advisory
References () https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf - () https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf - Vendor Advisory
References () https://www.ewon.biz/products/cosy/ewon-cosy-wifi - () https://www.ewon.biz/products/cosy/ewon-cosy-wifi - Product
References () https://www.hms-networks.com/cyber-security - () https://www.hms-networks.com/cyber-security - Vendor Advisory
CWE CWE-78
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2

12 Aug 2024, 16:15

Type Values Removed Values Added
References
  • () https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ -

05 Aug 2024, 12:41

Type Values Removed Values Added
Summary
  • (es) Los dispositivos Cosy+ que ejecutan un firmware 21.x inferior a 21.2s10 o un firmware 22.x inferior a 22.1s3 son vulnerables a la inyección de código debido a una lista negra de parámetros incorrecta. Esto se solucionó en las versiones 21.2s10 y 22.1s3.

02 Aug 2024, 18:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-02 18:16

Updated : 2024-09-03 19:02


NVD link : CVE-2024-33896

Mitre link : CVE-2024-33896

CVE.ORG link : CVE-2024-33896


JSON object : View

Products Affected

hms-networks

  • ewon_cosy\+_4g_eu
  • ewon_cosy\+_4g_apac
  • ewon_cosy\+_4g_jp
  • ewon_cosy\+_wifi
  • ewon_cosy\+_firmware
  • ewon_cosy\+_4g_na
  • ewon_cosy\+_ethernet
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')