Summary
LibOSDP RMAC revert to the beginning of the session
- Issues:
- SCS_14 is allowed on encrypted connection (osdp_phy.c)
- No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c)
- Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela
ted change that should be done)
- Attack:
- Once RMAC_I message can be sent during a session, attacker with MITM access to the communication may intercept the original RMAC_I reply and save it.
- While the session continues, the attacker will record all of the replies and save them, till capturing the message to be replied (can be detected by ID, length or time based on inspection of visual activity next to the reade
r) - Once attacker captures a session with the message to be replayed, he stops reseting the connection and waits for signal to perform the replay to of the PD to CP message (ex: by signaling remotly to the MIMT device or setting
a specific timing). - in order to replay, the attacker will craft a specific RMAC_I message in the proper seq of the execution, which will result in reverting the RMAC to the begining of the session.
- At that phase - attacker can replay all the messages from the begining of the session.
Impact
Replay attack
CVE-2024-52288 has a CVSS score of 5.1 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
This issue has been fixed in 298576d9214b48214092eebdd892ec77be085e5a
Frequently Asked Questions
- What is CVE-2024-52288? CVE-2024-52288 is a medium-severity security vulnerability in libosdp (pip), affecting versions < 3.0.0. It is fixed in 3.0.0.
- How severe is CVE-2024-52288? CVE-2024-52288 has a CVSS score of 5.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of libosdp are affected by CVE-2024-52288? libosdp (pip) versions < 3.0.0 is affected.
- Is there a fix for CVE-2024-52288? Yes. CVE-2024-52288 is fixed in 3.0.0. Upgrade to this version or later.
- Is CVE-2024-52288 exploitable, and should I be worried? Whether CVE-2024-52288 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-52288 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-52288? Upgrade
libosdpto 3.0.0 or later.