CVE-2024-29082
📋 TL;DR
An unauthenticated remote attacker can bypass authentication and factory reset Vonets industrial wifi bridge devices via unprotected goform endpoints. This affects Vonets industrial wifi bridge relays and repeaters running software versions 3.3.23.6.9 and earlier. Organizations using these devices for industrial network connectivity are vulnerable.
💻 Affected Systems
- Vonets industrial wifi bridge relays
- Vonets wifi bridge repeaters
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete network disruption as devices are factory reset, requiring physical access to reconfigure, potentially causing operational downtime in industrial environments.
Likely Case
Unauthorized factory reset of devices leading to network connectivity loss and requiring reconfiguration, disrupting industrial operations.
If Mitigated
Minimal impact with proper network segmentation and access controls preventing external access to vulnerable endpoints.
🎯 Exploit Status
Exploitation requires only HTTP requests to unprotected endpoints, making it trivial for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.3.23.6.9
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-08
Restart Required: Yes
Instructions:
1. Check current firmware version via device web interface. 2. Contact Vonets for updated firmware. 3. Backup device configuration. 4. Apply firmware update. 5. Reboot device. 6. Restore configuration if needed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Vonets devices in separate network segments with strict firewall rules.
Access Control Lists
allImplement ACLs to restrict access to device management interfaces.
🧯 If You Can't Patch
- Remove internet-facing access and place devices behind firewalls with strict inbound rules.
- Implement network monitoring for unauthorized access attempts to device management interfaces.
🔍 How to Verify
Check if Vulnerable:
Check firmware version in device web interface or via SSH if available. Versions 3.3.23.6.9 and earlier are vulnerable.Check Version:
Check via web interface at http://[device-ip]/ or consult device documentation for CLI version check.Verify Fix Applied:
Verify firmware version is updated beyond 3.3.23.6.9 and test authentication requirements for goform endpoints.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to goform endpoints without authentication
- Factory reset events in device logs
- Unauthorized configuration changes
Network Indicators:
- HTTP POST requests to /goform endpoints from unauthorized sources
- Unusual traffic patterns to device management interfaces
SIEM Query:
source_ip=* AND (url_path="/goform/*" OR event_type="factory_reset") AND NOT user_authenticated=true