CVE-2024-24731
Published: 31 January 2025
Summary
CVE-2024-24731 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Silabs Gecko Os. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-24731 is a stack-based buffer overflow vulnerability in the http_download command of Silicon Labs Gecko OS. The issue stems from insufficient validation of the length of user-supplied data before it is copied into a stack-based buffer, classified under CWE-120 (Buffer Copy without Checking Size of Input). This flaw affects installations of Silicon Labs Gecko OS, enabling network-adjacent attackers to execute arbitrary code in the context of the device without requiring authentication.
Network-adjacent attackers can exploit this vulnerability without privileges (PR:N) or user interaction (UI:N), though it requires high attack complexity (AC:H) and adjacent network access (AV:A). Successful exploitation allows arbitrary code execution on the affected device, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Advisories from Silicon Labs (https://community.silabs.com/a45Vm0000000Atp) and the Zero Day Initiative (ZDI-24-870 at https://www.zerodayinitiative.com/advisories/ZDI-24-870/) provide further details on the vulnerability, including recommended mitigations and patches where available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22130
Vulnerability details
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Silicon Labs Gecko OS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the http_download command. The issue results from…
more
the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in network-accessible http_download command directly enables unauthenticated remote code execution on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the length of user-supplied data prior to copying into stack-based buffers, addressing the core buffer overflow flaw in the http_download command.
Mandates identification, reporting, and correction of the specific stack-based buffer overflow vulnerability through patching as provided by Silicon Labs advisories.
Provides memory protections such as stack canaries and address space layout randomization to prevent arbitrary code execution even if the buffer overflow occurs.