Details of VAR-201411-0358

ID

VAR-201411-0358

CVE

CVE-2014-8387

TITLE

Advantech EKI-6340 Command injection vulnerability

Trust: 0.8

sources: IVD: b636bae2-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08421

DESCRIPTION

cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi. The EKI-6340 series is one of the outdoor wireless MeshAP products. The Advantech EKI-6340 has a command injection vulnerability because it does not properly filter user-supplied input. Allows an attacker to execute arbitrary commands in the context of the affected device. There is a security vulnerability in the cgi/utility.cgi file of Advantech EKI-6340 version 2.05

Trust: 2.7

sources: NVD: CVE-2014-8387 // JVNDB: JVNDB-2014-005552 // CNVD: CNVD-2014-08421 // BID: 71192 // IVD: b636bae2-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-76332

IOT TAXONOMY

category:	['ICS']	sub_category:	-	Trust: 0.8
category:	['network device']	sub_category:	access point	Trust: 0.1

sources: OTHER: None // IVD: b636bae2-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08421

AFFECTED PRODUCTS

vendor:	advantech	model:	eki-6340	scope:	eq	version:	2.05	Trust: 2.4
vendor:	advantech	model:	eki-6340	scope:	eq	version:	-	Trust: 1.0
vendor:	advantech	model:	eki-6340	scope:	eq	version:	wi-fi mesh access point	Trust: 0.8
vendor:	advantech	model:	eki-6340	scope:	-	version:	-	Trust: 0.6
vendor:	eki 6340	model:	-	scope:	eq	version:	2.05	Trust: 0.2
vendor:	eki 6340	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: b636bae2-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08421 // JVNDB: JVNDB-2014-005552 // CNNVD: CNNVD-201411-363 // NVD: CVE-2014-8387

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8387
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-8387
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-08421
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201411-363
value:	CRITICAL
Trust: 0.6
IVD:	b636bae2-2351-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-76332
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-8387
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-08421
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	b636bae2-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-76332
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: b636bae2-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08421 // VULHUB: VHN-76332 // JVNDB: JVNDB-2014-005552 // CNNVD: CNNVD-201411-363 // NVD: CVE-2014-8387

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-76332 // JVNDB: JVNDB-2014-005552 // NVD: CVE-2014-8387

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-363

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201411-363

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005552

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-76332

PATCH

title:	EKI-6340	url:	http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx	Trust: 0.8
title:	Advantech EKI-6340 Command Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/52043	Trust: 0.6

sources: CNVD: CNVD-2014-08421 // JVNDB: JVNDB-2014-005552

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8387	Trust: 3.7
db:	BID	id:	71192	Trust: 2.6
db:	CNNVD	id:	CNNVD-201411-363	Trust: 0.9
db:	CNVD	id:	CNVD-2014-08421	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-005552	Trust: 0.8
db:	IVD	id:	B636BAE2-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	OTHER	id:	NONE	Trust: 0.1
db:	EXPLOIT-DB	id:	35357	Trust: 0.1
db:	PACKETSTORM	id:	129185	Trust: 0.1
db:	VULHUB	id:	VHN-76332	Trust: 0.1

sources: OTHER: None // IVD: b636bae2-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08421 // VULHUB: VHN-76332 // BID: 71192 // JVNDB: JVNDB-2014-005552 // CNNVD: CNNVD-201411-363 // NVD: CVE-2014-8387

REFERENCES

url:	http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection	Trust: 2.5
url:	http://www.securityfocus.com/bid/71192	Trust: 2.3
url:	http://seclists.org/fulldisclosure/2014/nov/58	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/534021/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8387	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8387	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/534021/100/0/threaded	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2014-08421 // VULHUB: VHN-76332 // JVNDB: JVNDB-2014-005552 // CNNVD: CNNVD-201411-363 // NVD: CVE-2014-8387

CREDITS

Facundo Pantaleo and Flavio Cangini from Core Security Engineering Team

Trust: 0.3

sources: BID: 71192

SOURCES

db:	OTHER	id:	-
db:	IVD	id:	b636bae2-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2014-08421
db:	VULHUB	id:	VHN-76332
db:	BID	id:	71192
db:	JVNDB	id:	JVNDB-2014-005552
db:	CNNVD	id:	CNNVD-201411-363
db:	NVD	id:	CVE-2014-8387

LAST UPDATE DATE

2025-04-13T21:46:24.844000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-08421	date:	2014-11-21T00:00:00
db:	VULHUB	id:	VHN-76332	date:	2018-10-09T00:00:00
db:	BID	id:	71192	date:	2014-11-24T01:02:00
db:	JVNDB	id:	JVNDB-2014-005552	date:	2014-11-21T00:00:00
db:	CNNVD	id:	CNNVD-201411-363	date:	2014-11-21T00:00:00
db:	NVD	id:	CVE-2014-8387	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	b636bae2-2351-11e6-abef-000c29c66e3d	date:	2014-11-21T00:00:00
db:	CNVD	id:	CNVD-2014-08421	date:	2014-11-21T00:00:00
db:	VULHUB	id:	VHN-76332	date:	2014-11-20T00:00:00
db:	BID	id:	71192	date:	2014-11-19T00:00:00
db:	JVNDB	id:	JVNDB-2014-005552	date:	2014-11-21T00:00:00
db:	CNNVD	id:	CNNVD-201411-363	date:	2014-11-21T00:00:00
db:	NVD	id:	CVE-2014-8387	date:	2014-11-20T13:55:01.687