CVE-2024-7539

Name of the Vulnerable Software and Affected Versions oFono version 1.34

Description This issue allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this issue. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this issue to execute code in the context of root.

Recommendations For oFono version 1.34, patch immediately to mitigate the risk of code execution. As a temporary workaround, consider restricting access to the AT+CUSD commands until a patch is available. Avoid using the vulnerable CUSD handler in the affected oFono version until the issue is resolved.