PatchSiren cyber security CVE debrief

CVE-2024-42001 Vonets CVE debrief

An Improper Authentication vulnerability in Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters allows unauthenticated remote attackers to bypass authentication when another user maintains an active session. The vulnerability affects software versions 3.3.23.6.9 and prior across 14 product models. An attacker can exploit this by sending a specially crafted direct request to the device, gaining unauthorized access without valid credentials. The CVSS 3.1 score of 8.6 (High) reflects network attack vector, low attack complexity, no privileges required, no user interaction needed, and high availability impact with low confidentiality and integrity impacts. CISA published this advisory on August 1, 2024. Vonets has not responded to CISA's requests to collaborate on mitigation; users must contact Vonets support directly for assistance. No patch is currently available from the vendor.

Vendor: Vonets
Product: VAR1200-H
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-08-01
Original CVE updated: 2024-08-01
Advisory published: 2024-08-01
Advisory updated: 2024-08-01

Who should care

Organizations deploying Vonets VAR1200-H, VAR1200-L, VAR600-H, VAP11AC, VAP11G-500S, VBG1200, VAP11S-5G, VAP11S, VAR11N-300, VAP11G-300, VAP11N-300, VAP11G, VAP11G-500, or VGA-1000 WiFi bridges in industrial, enterprise, or operational technology environments. Security teams responsible for wireless infrastructure, network administrators managing remote site connectivity, and OT security practitioners with bridge deployments should prioritize assessment. Organizations with regulatory requirements for authentication controls in industrial networks face compliance exposure. Users relying on these devices for critical infrastructure connectivity require immediate risk evaluation given the unpatched status and vendor non-response.

Technical summary

The vulnerability stems from improper authentication validation in Vonets WiFi Bridge firmware. When a legitimate user maintains an active administrative session, an unauthenticated remote attacker can bypass authentication checks by sending a specially crafted direct request to the device. This request appears to exploit insufficient session isolation or authentication state validation, allowing the attacker to gain unauthorized access without presenting valid credentials. The attack requires network accessibility to the device management interface but no user interaction or prior privileges. Successful exploitation grants attacker capabilities with low confidentiality and integrity impact but high availability impact, suggesting potential for configuration changes or service disruption.

Defensive priority

HIGH

Recommended defensive actions

Contact Vonets support at the provided email address to request security patches or mitigation guidance for affected devices
Segment affected Vonets devices from untrusted networks and restrict administrative access to dedicated management VLANs
Monitor for unauthorized administrative sessions on affected devices, particularly when legitimate users are actively connected
Implement network access controls to limit direct requests to device management interfaces from unauthorized sources
Consider replacing affected devices with alternatives from vendors providing active security support if patches are not forthcoming
Apply CISA ICS recommended practices for network segmentation and defense-in-depth for industrial control systems
Review and strengthen session management controls on any interim deployments of affected devices

Evidence notes

CISA CSAF advisory ICSA-24-214-08 documents authentication bypass via crafted direct request during active user session. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H. Affected versions confirmed as 3.3.23.6.9 and prior across 16 product entries covering 14 distinct models.

Official resources

CISA disclosed this vulnerability on August 1, 2024, after Vonets failed to respond to coordination requests. The vendor has not provided patches or mitigation guidance.