CVE-2024-35061
Published: 21 May 2024
Summary
CVE-2024-35061 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Nasa Ait Core. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1752
Vulnerability details
NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middle attack. When chained with CVE-2024-35059, the CVE in subject leads to an unauthenticated, fully remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unencrypted network channels enable man-in-the-middle attacks (T1557: Adversary-in-the-Middle).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Privacy and security training stresses encryption of sensitive data, reducing missing encryption weaknesses.
Exchange agreements must document security requirements, which would include encryption to protect sensitive data in transit.
The map highlights data actions that involve sensitive data, enabling identification of missing encryption requirements.
Settings can require encryption of sensitive data, preventing missing encryption weaknesses.
Architectures must describe confidentiality protections, which includes mandating encryption for sensitive data in transit and at rest.
Privacy and security curricula stress encryption requirements, reducing missing encryption of sensitive data.
Requires encryption and similar controls for CUI processed or stored externally, preventing missing encryption of sensitive data.
Monitoring detects missing encryption of sensitive data in storage or transit configurations.