CVE-2024-13089

Summary

An OS command injection vulnerability within the update functionality may allow an authenticated administrator to execute unauthorized arbitrary OS commands.

Users with administrative privileges may upload update packages to upgrade the versions of Nozomi Networks Guardian and CMC.

While these updates are signed and their signatures are validated prior to installation, an improper signature validation check has been identified.

This issue could potentially enable users to execute commands remotely on the appliance, thereby impacting confidentiality, integrity, and availability.

Affected Software

VendorProductVersion RangeStatus
Nozomi NetworksGuardian0 < 24.6.0affected
Nozomi NetworksCMC0 < 24.6.0affected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

Only install update packages from trusted sources.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References