CVE-2024-23963
Published: 31 January 2025
Summary
CVE-2024-23963 is a high-severity Code Injection (CWE-94) vulnerability in Alpsalpine Ilx-F509 Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-23963 is a stack-based buffer overflow vulnerability in Alpine Halo9 devices. The issue resides in the PBAP_DecodeVCARD function, which fails to properly validate the length of user-supplied data before copying it to a stack-based buffer. This flaw, classified under CWE-94 (code injection), enables network-adjacent attackers to execute arbitrary code on affected installations.
To exploit this vulnerability, an attacker must first obtain the ability to pair a malicious Bluetooth device with the target system. Network-adjacent attackers with no privileges (PR:N) but requiring user interaction (UI:R) can then leverage the buffer overflow to execute code in the context of root, achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). The CVSS v3.1 base score is 8.0 (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Details on mitigation and patches are available in the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-24-850/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21389
Vulnerability details
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. The…
more
specific flaw exists within the PBAP_DecodeVCARD function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow enables client-side arbitrary code execution (T1203) with escalation to root (T1068) after Bluetooth pairing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of all user-supplied inputs including length checks, directly preventing the stack buffer overflow in PBAP_DecodeVCARD from unvalidated Bluetooth data.
SI-16 enforces memory protections like stack canaries, ASLR, and DEP to block arbitrary code execution from stack-based buffer overflows even if invalid data reaches the function.
AC-18 authorizes and controls wireless access including Bluetooth pairing, blocking network-adjacent attackers from connecting malicious devices as a prerequisite for exploitation.