CVE-2024-33844 in ANAFI USA Firmware
Summary
by MITRE • 05/03/2024
The 'control' in Parrot ANAFI USA firmware 1.10.4 does not check the MAV_MISSION_TYPE(0, 1, 2, 255), which allows attacker to cut off the connection between a controller and the drone by sending MAVLink MISSION_COUNT command with a wrong MAV_MISSION_TYPE.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability identified as CVE-2024-33844 affects the Parrot ANAFI USA drone firmware version 1.10.4 and represents a critical security flaw in the MAVLink communication protocol implementation. This issue stems from insufficient validation of the MAV_MISSION_TYPE parameter within the control mechanisms of the drone's firmware, creating a pathway for malicious actors to disrupt critical communication between the ground control station and the unmanned aerial vehicle. The vulnerability specifically targets the mission planning functionality of the drone's MAVLink interface, where the control system fails to properly validate the mission type parameter before processing incoming commands.
The technical flaw manifests when an attacker sends a MAVLink MISSION_COUNT command with an invalid MAV_MISSION_TYPE value, specifically targeting values 0, 1, 2, or 255. These particular values represent different mission types within the MAVLink protocol specification, but the Parrot ANAFI USA firmware does not validate whether these values are appropriate for the current operational context. This lack of parameter validation creates a condition where the drone's control system becomes vulnerable to connection termination attacks. The vulnerability operates at the protocol level, exploiting the absence of proper input sanitization and validation mechanisms within the firmware's MAVLink processing stack.
The operational impact of this vulnerability extends beyond simple connection disruption, potentially compromising mission integrity and safety protocols during critical operations. When an attacker successfully exploits this vulnerability, they can force the drone to disconnect from the controller, potentially leading to loss of control over the aircraft. This disruption can occur during critical flight phases such as takeoff, landing, or mission execution, where loss of communication could result in aircraft crash or unauthorized operation. The vulnerability is particularly concerning for commercial and military applications where reliable communication is essential for safe operation, and the ability to remotely terminate connections without authentication represents a significant risk to both asset security and operational safety.
This vulnerability maps to CWE-20, "Improper Input Validation," and aligns with several ATT&CK techniques including T1566.001 "Phishing: Spearphishing Attachment" and T1562.001 "Impair Command and Control". The lack of proper parameter validation creates an attack surface that could be exploited through various means, potentially allowing an attacker to gain unauthorized control over the drone's communication channel. The vulnerability also relates to T1499.004 "Network Denial of Service" as the connection termination effectively creates a denial of service condition for legitimate operators. Organizations should implement proper MAVLink protocol validation mechanisms and ensure that all parameter values are strictly validated against expected ranges before processing. Additionally, network segmentation and monitoring of MAVLink traffic should be implemented to detect anomalous command sequences that could indicate exploitation attempts.
Mitigation strategies should include firmware updates from Parrot to address the validation gap, implementation of network-level filtering to restrict MAVLink communication to authorized sources, and deployment of intrusion detection systems specifically designed to monitor MAVLink protocol traffic for suspicious patterns. The firmware should be updated to enforce strict validation of MAV_MISSION_TYPE parameters, ensuring that only valid mission type values are accepted. Network administrators should also consider implementing authentication mechanisms for MAVLink communications and establishing proper access controls for drone control interfaces. Regular security assessments of unmanned aerial vehicle systems should include evaluation of MAVLink protocol implementation for similar validation gaps, as this vulnerability demonstrates how seemingly minor protocol validation issues can create significant security risks in autonomous systems.