SecuriTricks - CVE-2024-7392

Description

ChargePoint Home Flex Bluetooth Low Energy Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of ChargePoint Home Flex charging devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the connection handling of the Bluetooth Low Energy interface. The issue results from limiting the number of active connections to the product. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-21455.

Product(s) Impacted

Vendor	Product	Versions
Chargepoint	Home Flex Firmware Home Flex	5.5.3.13 -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-410

Insufficient Resource Pool

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
o	chargepoint	home_flex_firmware	5.5.3.13	/	/	/	/	/	/	/
h	chargepoint	home_flex	-	/	/	/	/	/	/	/

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1047/

CVSS Score

6.5 / 10

CVSS Data - 3.1

Attack Vector: ADJACENT_NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: Nov. 22, 2024, 10:15 p.m.
Last Modified: Dec. 3, 2024, 10:17 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

zdi-disclosures@trendmicro.com

CVE-2024-7392