Horizon Business Services Caterease up to 24.0.1.2405 TCP Traffic verification of source
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.9 | $0-$5k | 0.03 |
Summary
A vulnerability was found in Horizon Business Services Caterease up to 24.0.1.2405 and classified as critical. This issue affects some unknown processing of the component TCP Traffic Handler. The manipulation leads to verification of source. The identification of this vulnerability is CVE-2024-38886. The attack needs to be approached within the local network. Furthermore, there is an exploit available. Once again VulDB remains the best source for vulnerability data.
Details
A vulnerability has been found in Horizon Business Services Caterease up to 24.0.1.2405 (Hospitality Software) and classified as critical. This vulnerability affects some unknown processing of the component TCP Traffic Handler. The manipulation with an unknown input leads to a verification of source vulnerability. The CWE definition for the vulnerability is CWE-940. The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack due to improper verification of the source of a communication channel.
The bug was discovered 04/17/2024. The weakness was published by Calvin Star (Skelet4r) with jTag Labs as security advisory (VulDB). The public release has been coordinated with the vendor. Caterease lacks proper verification of the source of communication channels, making it susceptible to TCP packet injection attacks. This vulnerability arises because the application does not use encryption or other verification methods to ensure the authenticity of the packets being exchanged between the client and server. As a result, attackers on the same network can intercept the communication and inject arbitrary packets into the communication stream. This vulnerability was named CVE-2024-38886 since 06/21/2024. The exploitation appears to be difficult. Access to the local network is required for this attack to succeed. No form of authentication is required for a successful exploitation. Technical details are unknown but a private exploit is available.
A private exploit has been developed by Skelet4r in Python. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 107 days. During that time the estimated underground price was around . Although an exploit is not currently publicly available, a proof-of-concept exploit has been developed by Skelet4r and jTag Labs to confirm the existence of this vulnerability within the Caterease application. This exploit was created for internal use only and is not being released publicly. To exploit this vulnerability, an attacker can analyze the TCP stream between the client application and server to identify the correct ACK and SEQ numbers. Using these details, a custom packet can be crafted and injected into the stream utilizing Python and libraries such as Scapy or Socket.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.9VulDB Meta Temp Score: 7.9
VulDB Base Score: 5.0
VulDB Temp Score: 5.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
Researcher Base Score: 7.1
Researcher Vector: 🔒
NVD Base Score: 9.8
NVD Vector: 🔒
CNA Base Score: 9.8
CNA Vector (MITRE): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Researcher Base Score: 🔒
Exploiting
Class: Verification of sourceCWE: CWE-940
CAPEC: 🔒
ATT&CK: 🔒
Local: No
Remote: Partially
Availability: 🔒
Access: Private
Status: Proof-of-Concept
Author: Skelet4r
Programming Language: 🔒
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔒
Timeline
04/17/2024 Vulnerability found05/14/2024 Vendor informed
06/21/2024 CVE reserved
08/01/2024 Advisory disclosed
08/01/2024 VulDB entry created
09/11/2024 VulDB entry last update
Sources
Researcher: Calvin Star (Skelet4r)Organization: jTag Labs
Status: Not defined
Coordinated: 🔒
CVE: CVE-2024-38886 (🔒)
GCVE (CVE): GCVE-0-2024-38886
GCVE (VulDB): GCVE-100-273370
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 08/01/2024 14:20Updated: 09/11/2024 07:18
Changes: 08/01/2024 14:20 (50), 08/01/2024 14:26 (12), 08/02/2024 14:05 (37), 08/02/2024 14:08 (5), 08/03/2024 18:45 (1), 09/11/2024 07:18 (21)
Complete: 🔍
Submitter: jTag Labs
Committer: jTag Labs
Cache ID: 216:D72:103
Submit
Accepted
- Submit #383226: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-940: Improper Verification of Source of a Communication Chan (by jTag Labs)
No comments yet. Languages: en.
Please log in to comment.