CVE-2024-40893

Name of the Vulnerable Software and Affected Versions Firewalla Box Software versions before 1.979

Description Multiple authenticated operating system (OS) command injection vulnerabilities exist in the software. A physically close attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters, including networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes.

Recommendations For versions before 1.979, update to version 1.979 or later to resolve the issue. As a temporary workaround, consider restricting access to the network configuration service and the BTLE interface to minimize the risk of exploitation. Avoid using the vulnerable configuration parameters, such as networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6, until the issue is resolved.