CVE-2024-29149

An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of a time-of-check time-of-use vulnerability, an authenticated attacker is able to replace the verified firmware image with malicious firmware during the update process.
TOCTOU
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
PHYSICAL
LOW
LOW
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
7.4 HIGH
PHYSICAL
LOW
LOW
CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Common Weakness Enumeration
References
https://www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-010.txt
https://www.al-enterprise.com/-/media/assets/internet/documents/n-to-s/sa-c0071-ed01.pdf
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-010.txt