CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51500 – Failure to check for packets from the broadcast address allows potential DDoS amplification attack in Meshtastic firmware
https://notcve.org/view.php?id=CVE-2024-51500
Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does not check for packets claiming to be from the special broadcast address (0xFFFFFFFF) which could result in unexpected behavior and potential for DDoS attacks on the network. A malicious actor could craft a packet to be from that address which would result in an amplification of this one message into every node on the network sending multiple messages. Such an attack could result in degraded network performance for all users as the available bandwidth is consumed. This issue has been addressed in release version 2.5.6. • https://github.com/meshtastic/firmware/security/advisories/GHSA-xfmq-5j3j-vgv8 • CWE-138: Improper Neutralization of Special Elements CWE-159: Improper Handling of Invalid Use of Special Elements •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47079 – Unauthorized usage of remote hardware module because of missing channel verification
https://notcve.org/view.php?id=CVE-2024-47079
Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to ensure a remote hardware control message was received should be considered valid. This issue has been addressed in release version 2.5.1. All users are advised to upgrade. • https://github.com/meshtastic/firmware/security/advisories/GHSA-h8mh-p4r3-4jv7 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47078 – Meshtastic firmware Authentication/Authorization Bypass via MQTT
https://notcve.org/view.php?id=CVE-2024-47078
Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implementation allow for authentication and authorization bypasses resulting in unauthorized control of MQTT-connected nodes. Version 2.5.1 contains a patch. • https://github.com/meshtastic/firmware/security/advisories/GHSA-vqcq-wjwx-7252 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45038 – Device crash via malformed MQTT packet when downlink is enabled in Meshtastic device firmware
https://notcve.org/view.php?id=CVE-2024-45038
Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away. There are no known workarounds for this vulnerability. • https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5 • CWE-755: Improper Handling of Exceptional Conditions •