PT-2024-22765 · Alcatel Lucent · Alcatel-Lucent Ale Noe Deskphones+1
Moritz Abrell
·
Published
2024-05-07
·
Updated
2024-07-03
·
CVE-2024-29149
CVSS v3.1
7.4
High
| Vector | AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Alcatel-Lucent ALE NOE deskphones versions 86x8 NOE-R300.1.40.12.4180 and earlier
Alcatel-Lucent ALE SIP deskphones versions 86x8 SIP-R200.1.01.10.728 and earlier
Description
An issue was discovered due to a time-of-check time-of-use vulnerability, allowing an authenticated attacker to replace the verified firmware image with malicious firmware during the update process.
Recommendations
For Alcatel-Lucent ALE NOE deskphones versions 86x8 NOE-R300.1.40.12.4180 and earlier, update the firmware to a version later than 86x8 NOE-R300.1.40.12.4180.
For Alcatel-Lucent ALE SIP deskphones versions 86x8 SIP-R200.1.01.10.728 and earlier, update the firmware to a version later than 86x8 SIP-R200.1.01.10.728.
As a temporary workaround, consider restricting access to the firmware update process until a patch is available.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alcatel-Lucent Ale Noe Deskphones
Alcatel-Lucent Ale Sip Deskphones