CVE-2024-7538: 
NixOS vulnerability analysis and mitigation

oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability (CVE-2024-7538) affects oFono installations and was discovered in early 2024. The vulnerability allows local attackers to execute arbitrary code on affected installations of oFono, requiring initial access to execute code on the target modem (ZDI Advisory).

The vulnerability exists within the parsing of responses from AT Commands. The specific flaw stems from the lack of proper validation of the length of user-supplied data before copying it to a stack-based buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, an attacker can leverage this vulnerability to execute code in the context of root, potentially gaining complete control over the affected system (ZDI Advisory).

As of August 2024, there is no official patch available. ZDI made multiple attempts to report the vulnerability to the vendor via the oFono distribution list, Red Hat, and upstream Linux Kernel, but received no response. The Linux Kernel team indicated that since the issue "has nothing to do with the Linux Kernel," it should be reported to the distribution list (ZDI Advisory).