PatchSiren cyber security CVE debrief
CVE-2024-38280 Motorola Solutions CVE debrief
Motorola Solutions Vigilant Fixed LPR Coms Box (BCAV1F2-C600) stores sensitive data, including credentials, in clear text on the hard disk. An unauthorized user with physical access can retrieve the hard disk and gain access to this sensitive data. The vulnerability affects devices running firmware version 3.1.171.9 and earlier. Motorola Solutions has addressed this by implementing full disk encryption using LUKS standards and GRUB Bootloader password protection on devices shipped after May 10, 2024. For devices unable to receive full disk encryption, all Criminal Justice Information (CJI) data has been encrypted. The CVSS 3.1 score of 6.8 reflects the physical attack vector required, with high impacts to confidentiality, integrity, and availability once access is obtained.
- Vendor
- Motorola Solutions
- Product
- Vigilant Fixed LPR Coms Box (BCAV1F2-C600)
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-13
- Original CVE updated
- 2024-06-13
- Advisory published
- 2024-06-13
- Advisory updated
- 2024-06-13
Who should care
Organizations operating Motorola Solutions Vigilant Fixed LPR Coms Box systems, particularly law enforcement and government agencies handling Criminal Justice Information (CJI) subject to CJIS Security Policy requirements. Security teams responsible for physical security of traffic infrastructure and automated license plate recognition deployments.
Technical summary
The Vigilant Fixed LPR Coms Box stores sensitive authentication credentials and Criminal Justice Information (CJI) in unencrypted form on the local hard disk. This allows an attacker with physical access to remove the storage device and extract sensitive data without authentication. The vulnerability is classified as medium severity (CVSS 3.1: 6.8) due to the physical attack vector requirement, though impact is rated high across confidentiality, integrity, and availability dimensions. Remediation requires cryptographic controls: full disk encryption per LUKS standards, bootloader password protection, and column-level database encryption for sensitive fields.
Defensive priority
high
Recommended defensive actions
- Apply full disk encryption using LUKS standards with GRUB Bootloader password protection to all affected devices
- Implement column-level encryption for sensitive database data containing Criminal Justice Information (CJI)
- Verify all devices shipped after May 10, 2024 have encryption enabled; no further action required for these units
- For devices that cannot support full disk encryption, ensure all CJI data is encrypted at the application or database level
- Restrict physical access to LPR Coms Box hardware to authorized personnel only
- Audit existing deployments to identify devices running firmware version 3.1.171.9 or earlier requiring remediation
Evidence notes
CISA ICS Advisory ICSA-24-165-19 published 2024-06-13 confirms clear-text credential storage on physical disk. Vendor remediation includes full disk encryption (LUKS) and column-level database encryption for sensitive data. Devices shipped after 2024-05-10 include encryption by default.
Official resources
-
CVE-2024-38280 CVE record
CVE.org
-
CVE-2024-38280 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-13