CVE-2024-6198 is a high-severity stack-based buffer overflow vulnerability affecting the ViaSat RM4100 modem device. The modem exposes a web interface on TCP ports 3030 and 9882, running the lighttpd web server which implements the "SNORE" interface. This interface suffers from insecure path parsing that leads to a classic buffer overflow (CWE-120) due to lack of proper input size validation before copying data onto the stack. An attacker with access to the LAN network can send a specially crafted HTTP request to trigger this overflow. Successful exploitation could allow an attacker to execute arbitrary code on the modem, potentially leading to full compromise of the device. The vulnerability does not require authentication or user interaction but does require network access to the LAN interface, limiting the attack surface to internal or otherwise accessible networks. The CVSS 4.0 base score is 7.7 (high), reflecting the significant impact on confidentiality, integrity, and availability, combined with the complexity of attack due to the need for LAN access and high attack complexity. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights the risk of insecure input handling in embedded device web interfaces, which can be leveraged to gain control over critical network infrastructure components.

For European organizations, the exploitation of this vulnerability on ViaSat RM4100 modems could have serious consequences. These modems are often used in satellite and broadband communications, including critical infrastructure and enterprise networks. A successful attack could lead to unauthorized remote code execution, enabling attackers to intercept, manipulate, or disrupt communications. This could compromise sensitive data confidentiality, disrupt network availability, and undermine the integrity of communications. Given the modem's role in connectivity, exploitation could also serve as a pivot point for lateral movement within organizational networks, increasing the risk of broader compromise. The requirement for LAN access somewhat limits remote exploitation but does not eliminate risk, especially in environments where internal network segmentation is weak or where attackers have gained initial footholds. The lack of patches increases exposure time, and organizations relying on these devices should consider the risk to operational continuity and data protection compliance under regulations such as GDPR.

To mitigate this vulnerability, European organizations should first identify all instances of ViaSat RM4100 modems within their networks, particularly those connected to LAN segments accessible by multiple users or devices. Network segmentation should be enforced to restrict access to the modem's management interfaces on TCP ports 3030 and 9882, limiting exposure to trusted administrators only. Employ strict firewall rules and access control lists to block unauthorized LAN access to these ports. Monitoring network traffic for anomalous HTTP requests targeting these ports can help detect exploitation attempts. Since no patches are currently available, organizations should engage with ViaSat for firmware updates or advisories. If possible, temporarily disable or restrict the SNORE interface or the affected web services until a patch is released. Additionally, implement network intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect buffer overflow attempts on these ports. Finally, maintain robust incident response plans to quickly isolate and remediate affected devices if exploitation is suspected.