CVE-2024-1015

Name of the Vulnerable Software and Affected Versions SE-elektronic GmbH E-DDC3.3 versions 03.07.03 and higher

Description The issue is related to a remote command execution vulnerability in the web configuration functionality of the device, allowing an attacker to send different commands from the operating system to the system. This is due to incorrect code generation management in the web interface of the device's firmware. An attacker could exploit this by sending specially crafted web requests via the CGI protocol, potentially allowing them to execute arbitrary commands. Additionally, there is a mention of an uncontrolled resource consumption issue that could allow an attacker to interrupt the availability of the administration panel by sending multiple ICMP packets.

Recommendations For versions 03.07.03 and higher, consider disabling the web configuration functionality until a patch is available to prevent remote command execution. As a temporary workaround, restrict access to the administration panel to minimize the risk of exploitation via ICMP packets. Avoid using the CGI protocol in the affected web interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.