PatchSiren cyber security CVE debrief
CVE-2024-38279 Motorola Solutions CVE debrief
A medium-severity vulnerability in Motorola Solutions Vigilant Fixed LPR Coms Box (BCAV1F2-C600) allows attackers with physical access to modify the bootloader using custom arguments, bypassing authentication to access the file system and obtain password hashes. The vulnerability requires physical access to the device, limiting its exploitability but granting high confidentiality impact when exploited.
- Vendor
- Motorola Solutions
- Product
- Vigilant Fixed LPR Coms Box (BCAV1F2-C600)
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-13
- Original CVE updated
- 2024-06-13
- Advisory published
- 2024-06-13
- Advisory updated
- 2024-06-13
Who should care
Organizations operating Motorola Solutions Vigilant license plate reader systems, particularly law enforcement agencies, parking management operators, and critical infrastructure security teams deploying these devices in physically accessible locations. Security teams responsible for physical security of edge computing and IoT devices in outdoor or semi-public deployments should assess exposure.
Technical summary
The Vigilant Fixed LPR Coms Box firmware through version 3.1.171.9 fails to properly secure the bootloader configuration, allowing an attacker with physical device access to supply custom kernel arguments during boot. This bypasses authentication mechanisms and grants access to the underlying file system, enabling extraction of password hashes. The vulnerability is mitigated by physical access requirements but poses significant risk to credential confidentiality if devices are physically compromised. Motorola Solutions has deployed an edit-resistant GRUB partition to all affected systems and will release a complete secure boot implementation in Fall 2024 via OTA update.
Defensive priority
medium
Recommended defensive actions
- Implement physical security controls to limit access to deployed Vigilant Fixed LPR Coms Box devices, following CISA ICS recommended practices for device mounting and physical protection
- Verify that deployed devices have received the edit-resistant GRUB partition update that Motorola Solutions has already remediated for all vulnerable systems
- Monitor for Motorola Solutions' secure boot implementation release scheduled for Fall 2024, which will be delivered via OTA update
- Review and apply CISA's defense-in-depth guidance for industrial control systems to establish layered security controls around license plate reader deployments
- Audit device access logs and physical security controls at LPR deployment locations to detect potential tampering attempts
Evidence notes
CISA published advisory ICSA-24-165-19 on June 13, 2024, identifying this vulnerability in Motorola Solutions Vigilant Fixed LPR Coms Box devices running firmware version 3.1.171.9 and earlier. The CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) confirms physical access requirement with high confidentiality impact.
Official resources
-
CVE-2024-38279 CVE record
CVE.org
-
CVE-2024-38279 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-13