Midnight Blue

**Name of the Vulnerable Software and Affected Versions** QuRouter versions prior to 2.4.4.106 **Description** An OS command injection issue has been reported, potentially allowing local network attackers to execute commands if exploited. **Recommendations** For QuRouter versions prior to 2.4.4.106, update to version 2.4.4.106 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: QuRouter versions prior to 2.4.3.103 Description: An OS command injection vulnerability has been reported, which could allow remote attackers to execute commands if exploited. Over 2,500 services are potentially affected. The issue is related to the failure to neutralize special elements used in OS commands. Recommendations: For QuRouter versions prior to 2.4.3.103, update to version 2.4.3.103 or later to resolve the issue. As a temporary workaround, consider restricting access to vulnerable components until a patch is applied. Avoid using the vulnerable functionality in the affected QuRouter versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Autel MaxiCharger AC Elite Business C50 (affected versions not specified) **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 EV chargers. The specific flaw exists within the handling of the `AppAuthenExchangeRandomNum` BLE command. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Authentication is not required to exploit this vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Autel MaxiCharger AC Elite Business C50 (affected versions not specified) **Description** This issue allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Authentication is not required to exploit this issue. The specific flaw exists within the DLB HostHeartBeat handler of the DLB protocol implementation. When parsing an AES key, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sony XAV-AX5500 (affected versions not specified) **Description** This issue allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this issue. The specific flaw exists within the implementation of the Apple CarPlay protocol, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Motorola MTM5000 series firmwares (affected versions not specified) **Description** The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MTM5000 series firmwares (affected versions not specified) **Description** The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG that relies on a tick count register as its sole entropy source. This results in low boottime entropy and limited re-seeding of the pool, making the authentication challenge vulnerable to attacks. An adversary can derive the contents of the entropy pool by an exhaustive search of possible values based on an observed authentication challenge. Additionally, an adversary can use knowledge of the entropy pool to predict authentication challenges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MTM5000 series firmwares (affected versions not specified) **Description** The issue concerns a lack of properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores in Motorola MTM5000 series firmwares. The System on Chip (SoC) has two memory protection units, MPU1 and MPU2, which are intended to enforce the trust boundary between the two cores. However, since both units are left unconfigured by the firmwares, an adversary with control over either core can easily gain code execution on the other by overwriting code in shared RAM or DDR2 memory regions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Texas Instruments OMAP L138 (secure variants) (affected versions not specified) **Description** The AES implementation in the Texas Instruments OMAP L138 suffers from a timing side channel. This can be exploited by an adversary with non-secure supervisor privileges by managing cache contents and collecting timing information for different ciphertext inputs. The SK LOAD secure kernel routine can be used to recover the Customer Encryption Key (CEK) using this side channel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Texas Instruments OMAP L138 (secure variants) (affected versions not specified) **Description** The trusted execution environment (TEE) of the Texas Instruments OMAP L138 (secure variants) has a security issue. When loading a module through the SK LOAD routine, it performs an RSA check, but only validates the module header authenticity. This allows an adversary to reuse a correctly signed header and append a forged payload. The payload can be encrypted using the CEK to achieve arbitrary code execution in a secure context, breaking the TEE security architecture. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Texas Instruments OMAP L138 (secure variants) (affected versions not specified) **Description** The trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK LOAD module encrypted with the CEK. This constitutes a full break of the TEE security architecture. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MTM5000 series firmware (affected versions not specified) **Description** A format string vulnerability exists in the AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds app binary, which runs with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MBTS Site Controller (affected versions not specified) **Description** The Motorola MBTS Site Controller Man Machine Interface (MMI) accepts a hard-coded backdoor password that cannot be changed or disabled, allowing service technicians to diagnose and configure the device. This issue may pose a significant risk due to the potential for unauthorized access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MBTS Base Radio (affected versions not specified) **Description** The Motorola MBTS Base Radio Man Machine Interface (MMI) accepts a hard-coded backdoor password that cannot be changed or disabled, allowing service technicians to diagnose and configure the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola MBTS Site Controller (affected versions not specified) **Description** The Motorola MBTS Site Controller fails to check firmware update authenticity due to a lack of cryptographic signature validation for firmware update packages. This allows an authenticated attacker to gain arbitrary code execution, extract secret key material, and/or leave a persistent implant on the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola EBTS/MBTS Base Radio (affected versions not specified) **Description** The Motorola MBTS Base Radio lacks cryptographic signature validation for firmware update packages, allowing an authenticated attacker to gain arbitrary code execution, extract secret key material, and/or leave a persistent implant on the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Motorola EBTS/MBTS Site Controller (affected versions not specified) **Description** The Motorola MBTS Site Controller exposes a debug prompt on the device's serial port in case of an unhandled exception. This allows an attacker with physical access that is able to trigger such an exception to extract secret key material and/or gain arbitrary code execution on the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TETRA (affected versions not specified) **Description** A flaw in the TETRA authentication procedure allows a Man-In-The-Middle (MITM) adversary that can predict the MS challenge `RAND2` to set session key `DCK` to zero. This issue does not specify the number of potentially affected devices or any real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TETRA (affected versions not specified) **Description** The issue is related to a lack of cryptographic integrity check on TETRA air-interface encrypted traffic. This allows an active adversary to manipulate cleartext data in a bit-by-bit fashion because a stream cipher is employed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TETRA TA61 (affected versions not specified) **Description** The TETRA TA61 identity encryption function uses a 64-bit value derived from the SCK (Class 2 networks) or CCK (Class 3 networks). This structure allows for efficient recovery of the 64-bit value, enabling an adversary to encrypt or decrypt arbitrary identities given only three known encrypted/unencrypted identity pairs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.