License to Kill: Leveraging License Management to Attack ICS Networks

CVE-2024-47142

CWE-284: Improper access control

A network-adjacent authenticated attacker may perform unintended operations

CVSS v3: 5.5

CVE-2024-45837

CWE-321: Use of hard-coded cryptographic key

A network-adjacent unauthenticated attacker may log in to SFTP service and obtain and/or manipulate unauthorized files

CVSS v3: 5.4

CVE-2024-39290

CWE-522: Insufficiently protected credentials

A network-adjacent unauthenticated attacker may obtain sensitive information such as a username and its password in the address book

CVSS v3: 6.5

CVE-2024-31408

CWE-78: OS command injection

A network-adjacent authenticated attacker may execute an arbitrary OS command with root privileges by sending a specially crafted request

CVSS v3: 8.0

CVE-2024-49399

CWE-306: MISSING AUTHENTICATION FOR CRITICAL FUNCTION

The affected product is vulnerable to an attacker being able to use commands without providing a password which may allow an attacker to leak information.

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication.

Elvaco has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of M-Bus Metering Gateway CMe3100 are invited to contact Elvaco customer support for additional information.

CVSS v3: 7.5