Details of VAR-201407-0741

ID

VAR-201407-0741

TITLE

Lian Li Network Attached Storage Multiple Security Vulnerabilities

Trust: 0.9

sources: BID: 68895 // CNNVD: CNNVD-201407-669

DESCRIPTION

Lian Li NAS 'cacert.pem' has a hard-coded FTP server key vulnerability that allows remote attackers to access the FTP server. Lian Li NAS multiple scripts have multiple cross-site request forgery vulnerabilities, which allow context-sensitive attackers to initiate cross-site request forgery attacks by enticing users to use the following specially crafted links. Lian Li Network Attached Storage is a NAS network storage device of Lian Li. Lian Li NAS has a backdoor account vulnerability. The MySQL account has a password of "123456" and the account of "daemon" has a password of "123456". This allows remote attackers to gain privileged access to the device. Attackers can use these vulnerabilities to obtain sensitive information, bypass authentication mechanisms, and perform unauthorized operations. A password-disclosure vulnerability 2. An authentication-bypass vulnerability 3. This may aid in further attacks

Trust: 3.51

sources: CNVD: CNVD-2014-04862 // CNVD: CNVD-2014-04861 // CNVD: CNVD-2014-04860 // CNVD: CNVD-2014-04859 // CNVD: CNVD-2014-04863 // CNNVD: CNNVD-201407-669 // BID: 68895

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 3.0

sources: CNVD: CNVD-2014-04862 // CNVD: CNVD-2014-04861 // CNVD: CNVD-2014-04860 // CNVD: CNVD-2014-04859 // CNVD: CNVD-2014-04863

AFFECTED PRODUCTS

vendor:	lian	model:	li co. ltd lian li nas	scope:	-	version:	-	Trust: 3.0
vendor:	lian	model:	li network attached storage	scope:	eq	version:	0	Trust: 0.3

sources: CNVD: CNVD-2014-04862 // CNVD: CNVD-2014-04861 // CNVD: CNVD-2014-04860 // CNVD: CNVD-2014-04859 // CNVD: CNVD-2014-04863 // BID: 68895

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2014-04862
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2014-04861
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2014-04860
value:	LOW
Trust: 0.6
CNVD:	CNVD-2014-04859
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2014-04863
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2014-04862
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2014-04861
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2014-04860
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2014-04859
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2014-04863
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-04862 // CNVD: CNVD-2014-04861 // CNVD: CNVD-2014-04860 // CNVD: CNVD-2014-04859 // CNVD: CNVD-2014-04863

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-669

TYPE

Design Error

Trust: 0.3

sources: BID: 68895

EXTERNAL IDS

db:	BID	id:	68895	Trust: 3.9
db:	OSVDB	id:	109521	Trust: 0.6
db:	CNVD	id:	CNVD-2014-04862	Trust: 0.6
db:	OSVDB	id:	109522	Trust: 0.6
db:	CNVD	id:	CNVD-2014-04861	Trust: 0.6
db:	OSVDB	id:	109519	Trust: 0.6
db:	CNVD	id:	CNVD-2014-04860	Trust: 0.6
db:	OSVDB	id:	109518	Trust: 0.6
db:	CNVD	id:	CNVD-2014-04859	Trust: 0.6
db:	OSVDB	id:	109520	Trust: 0.6
db:	CNVD	id:	CNVD-2014-04863	Trust: 0.6
db:	CNNVD	id:	CNNVD-201407-669	Trust: 0.6

sources: CNVD: CNVD-2014-04862 // CNVD: CNVD-2014-04861 // CNVD: CNVD-2014-04860 // CNVD: CNVD-2014-04859 // CNVD: CNVD-2014-04863 // BID: 68895 // CNNVD: CNNVD-201407-669

REFERENCES

url:	http://www.securityfocus.com/bid/68895	Trust: 1.2
url:	http://osvdb.com/show/osvdb/109521	Trust: 0.6
url:	http://osvdb.com/show/osvdb/109522	Trust: 0.6
url:	http://osvdb.com/show/osvdb/109519	Trust: 0.6
url:	http://osvdb.com/show/osvdb/109518	Trust: 0.6
url:	http://osvdb.com/show/osvdb/109520	Trust: 0.6
url:	http://www.lian-li.com/en/dt_portfolio_category/nas/	Trust: 0.3

sources: CNVD: CNVD-2014-04862 // CNVD: CNVD-2014-04861 // CNVD: CNVD-2014-04860 // CNVD: CNVD-2014-04859 // CNVD: CNVD-2014-04863 // BID: 68895 // CNNVD: CNNVD-201407-669

CREDITS

pws

Trust: 0.9

sources: BID: 68895 // CNNVD: CNNVD-201407-669

SOURCES

db:	CNVD	id:	CNVD-2014-04862
db:	CNVD	id:	CNVD-2014-04861
db:	CNVD	id:	CNVD-2014-04860
db:	CNVD	id:	CNVD-2014-04859
db:	CNVD	id:	CNVD-2014-04863
db:	BID	id:	68895
db:	CNNVD	id:	CNNVD-201407-669

LAST UPDATE DATE

2022-05-17T02:09:49.501000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-04862	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04861	date:	2014-08-10T00:00:00
db:	CNVD	id:	CNVD-2014-04860	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04859	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04863	date:	2020-03-10T00:00:00
db:	BID	id:	68895	date:	2014-07-21T00:00:00
db:	CNNVD	id:	CNNVD-201407-669	date:	2014-07-29T00:00:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-04862	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04861	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04860	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04859	date:	2014-08-08T00:00:00
db:	CNVD	id:	CNVD-2014-04863	date:	2014-08-08T00:00:00
db:	BID	id:	68895	date:	2014-07-21T00:00:00
db:	CNNVD	id:	CNNVD-201407-669	date:	2014-07-29T00:00:00