CVE-2024-4013 MEDIUM

CVE-2024-4013: Failure to update BT Mesh Replay Protection List

Vendor Silabs.com
Product Gecko SDK
Weakness CWE-404
Published June 6, 2024
Last update August 1, 2024

CVSS base score

5.6/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A bug exists in the API, mesh_node_power_off(), which fails to copy the contents of the Replay Protection List (RPL) from RAM to NVM before powering down, resulting in the ability to replay unsaved messages. Note that as of June 2024, the Gecko SDK was renamed to the Simplicity SDK, and the versioning scheme was changed from Gecko SDK vX.Y.Z to Simplicity SDK YYYY.MM.Patch#.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 1, 2024 Record updated