CVE-2024-7546: 
NixOS vulnerability analysis and mitigation

The CVE-2024-7546 is a heap-based buffer overflow vulnerability in oFono's SimToolKit functionality. The vulnerability was discovered by Lucas Leong of Trend Micro Zero Day Initiative and publicly disclosed on August 5th, 2024. This security flaw affects oFono installations and is tracked with a CVSS v3.1 base score of 7.8 (High) (ZDI Advisory, NVD).

The vulnerability exists within the parsing of STK (SIM Tool Kit) command PDUs. The specific issue stems from the lack of proper validation of the length of user-supplied data before copying it to a heap-based buffer. The vulnerability has been classified as CWE-787 (Out-of-bounds Write) by NIST and CWE-122 (Heap-based Buffer Overflow) by Zero Day Initiative. The CVSS v3.1 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity (NVD).

If successfully exploited, this vulnerability allows local attackers to execute arbitrary code in the context of the service account. An attacker must first obtain the ability to execute code on the target modem to exploit this vulnerability (ZDI Advisory).

According to the Zero Day Initiative, given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. The vulnerability has been fixed in the sid version of the Debian package, while it remains vulnerable in bullseye and bookworm distributions (Debian Tracker, ZDI Advisory).

Multiple attempts were made by ZDI to report the vulnerability to the vendor via the oFono distribution list, Red Hat, and upstream Linux Kernel. The Linux Kernel team responded that since it "has nothing to do with the Linux Kernel," it should be reported to the distribution list. The vendor did not respond to these attempts (ZDI Advisory).