Advisory Details

June 13th, 2024

(0Day) Deep Sea Electronics DSE855 Multipart Boundary Infinite Loop Denial-of-Service Vulnerability

ZDI-24-673
ZDI-CAN-23171

CVE ID CVE-2024-5949
CVSS SCORE 4.3, AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AFFECTED VENDORS Deep Sea Electronics
AFFECTED PRODUCTS DSE855
VULNERABILITY DETAILS

This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of multipart boundaries. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.

ADDITIONAL DETAILS

01/21/24 – ZDI requested a vendor PSIRT contact.

01/22/24 – The vendor provided contact information.

01/23/24 – ZDI reported the vulnerability to the vendor.

02/05/24 – The vendor states the report was blocked by IT and asked ZDI to resend the report.

02/12/24 – ZDI resent the report using an alternative method.

02/13/24 – The vendor asked why we performed tests on their products.

02/13/24 – ZDI provided the vendor with additional details about the ZDI program.

02/14/24 – The vendor asked what initiated the ZDI to look at the DSE855.

02/14/24 – ZDI emphasized our intent to responsibly disclose this vulnerability to Deep Sea for remediation. The ZDI also offered additional resources about coordinated vulnerability disclosure, as well as feedback on implementing a proper incident response process. We also reiterated our 120-day disclosure policy to ensure the vendor was aware they needed to respond with a patch within the allotted time.

05/24/24 – ZDI informed the vendor that since we never received a response that we have assume this vulnerability remains unpatched, and that we’re publishing this case as a zero-day advisory on 06/13/24.

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.


DISCLOSURE TIMELINE
  • 2024-01-23 - Vulnerability reported to vendor
  • 2024-06-13 - Coordinated public release of advisory
  • 2024-07-01 - Advisory Updated
CREDIT Dmitry "InfoSecDJ" Janushkevich of Trend Micro Zero Day Initiative
BACK TO ADVISORIES