Details of VAR-201606-0534

ID

VAR-201606-0534

TITLE

Sierra Wireless AirLink Raven XE/XT Cross-Site Request Forgery Vulnerability

Trust: 0.8

sources: IVD: 872b27f5-afcd-42a2-8289-77a1ba20e71a // CNVD: CNVD-2016-04488

DESCRIPTION

1. An attacker exploits a vulnerability to entice a user to visit a malicious link or download a malicious file. AirLinkRavenXT and XE are SierraWireless's M2M gateways that provide remote monitoring and industrial application control. There is a sniffing credential vulnerability in AirLinkRavenXT and XE. An attacker exploits a vulnerability to sniff a voucher and log into the system. Sierra Wireless AirLink Raven XE and XT are wireless gateway products from Canada's Sierra Wireless. Sierra Wireless AirLink Raven XE and XT Gateway exist 1. Arbitrary file upload vulnerability 2. Cross-site request forgery vulnerability 3. Information disclosure vulnerability. A remote attacker can use these vulnerabilities to upload arbitrary files, perform unauthorized operations, and obtain permissions and sensitive information about the affected device. A cross-site request-forgery and 3

Trust: 3.51

sources: CNVD: CNVD-2016-05232 // CNVD: CNVD-2016-04488 // CNVD: CNVD-2016-04487 // CNVD: CNVD-2016-04489 // CNNVD: CNNVD-201607-513 // BID: 91527 // IVD: 14d171d7-63a6-4b5b-a264-c300703c5fc6 // IVD: 872b27f5-afcd-42a2-8289-77a1ba20e71a // IVD: 19fe5897-0f84-413e-922a-1dae606b02b8

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 1.8
category:	['ICS']	sub_category:	-	Trust: 0.6
category:	['Network device']	sub_category:	-	Trust: 0.6

sources: IVD: 14d171d7-63a6-4b5b-a264-c300703c5fc6 // IVD: 872b27f5-afcd-42a2-8289-77a1ba20e71a // IVD: 19fe5897-0f84-413e-922a-1dae606b02b8 // CNVD: CNVD-2016-05232 // CNVD: CNVD-2016-04488 // CNVD: CNVD-2016-04487 // CNVD: CNVD-2016-04489

AFFECTED PRODUCTS

vendor:	sierra	model:	wireless airlink raven xt	scope:	-	version:	-	Trust: 1.8
vendor:	sierra	model:	wireless airlink raven xe	scope:	-	version:	-	Trust: 1.8
vendor:	sierra	model:	wireless airlink raven xt	scope:	eq	version:	*	Trust: 0.6
vendor:	sierra	model:	wireless airlink raven xe	scope:	eq	version:	*	Trust: 0.6
vendor:	sierra	model:	wireless airlink raven xe and xt gateways	scope:	-	version:	-	Trust: 0.6

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2016-05232
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2016-04488
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2016-04487
value:	MEDIUM
Trust: 0.6
CNVD:	CNVD-2016-04489
value:	MEDIUM
Trust: 0.6
IVD:	14d171d7-63a6-4b5b-a264-c300703c5fc6
value:	MEDIUM
Trust: 0.2
IVD:	872b27f5-afcd-42a2-8289-77a1ba20e71a
value:	MEDIUM
Trust: 0.2
IVD:	19fe5897-0f84-413e-922a-1dae606b02b8
value:	MEDIUM
Trust: 0.2

CNVD:	CNVD-2016-05232
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2016-04488
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2016-04487
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2016-04489
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	14d171d7-63a6-4b5b-a264-c300703c5fc6
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	872b27f5-afcd-42a2-8289-77a1ba20e71a
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	19fe5897-0f84-413e-922a-1dae606b02b8
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201607-513

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201607-513

EXTERNAL IDS

db:	ICS CERT ALERT	id:	ICS-ALERT-16-182-01	Trust: 2.1
db:	BID	id:	91527	Trust: 1.5
db:	CNVD	id:	CNVD-2016-04487	Trust: 0.8
db:	CNVD	id:	CNVD-2016-04488	Trust: 0.8
db:	CNVD	id:	CNVD-2016-04489	Trust: 0.8
db:	CNVD	id:	CNVD-2016-05232	Trust: 0.6
db:	CNNVD	id:	CNNVD-201607-513	Trust: 0.6
db:	IVD	id:	14D171D7-63A6-4B5B-A264-C300703C5FC6	Trust: 0.2
db:	IVD	id:	872B27F5-AFCD-42A2-8289-77A1BA20E71A	Trust: 0.2
db:	IVD	id:	19FE5897-0F84-413E-922A-1DAE606B02B8	Trust: 0.2

REFERENCES

url:	https://ics-cert.us-cert.gov/alerts/ics-alert-16-182-01	Trust: 2.1
url:	http://www.securityfocus.com/bid/91527	Trust: 1.2
url:	http://www.sierrawireless.com/	Trust: 0.3

sources: CNVD: CNVD-2016-05232 // CNVD: CNVD-2016-04488 // CNVD: CNVD-2016-04487 // CNVD: CNVD-2016-04489 // BID: 91527 // CNNVD: CNNVD-201607-513

CREDITS

Karn Ganeshen

Trust: 0.9

sources: BID: 91527 // CNNVD: CNNVD-201607-513

SOURCES

db:	IVD	id:	14d171d7-63a6-4b5b-a264-c300703c5fc6
db:	IVD	id:	872b27f5-afcd-42a2-8289-77a1ba20e71a
db:	IVD	id:	19fe5897-0f84-413e-922a-1dae606b02b8
db:	CNVD	id:	CNVD-2016-05232
db:	CNVD	id:	CNVD-2016-04488
db:	CNVD	id:	CNVD-2016-04487
db:	CNVD	id:	CNVD-2016-04489
db:	BID	id:	91527
db:	CNNVD	id:	CNNVD-201607-513

LAST UPDATE DATE

2022-05-17T02:07:07.416000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-05232	date:	2016-07-22T00:00:00
db:	CNVD	id:	CNVD-2016-04488	date:	2016-07-06T00:00:00
db:	CNVD	id:	CNVD-2016-04487	date:	2016-07-06T00:00:00
db:	CNVD	id:	CNVD-2016-04489	date:	2016-07-06T00:00:00
db:	BID	id:	91527	date:	2016-06-30T00:00:00
db:	CNNVD	id:	CNNVD-201607-513	date:	2016-07-19T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	14d171d7-63a6-4b5b-a264-c300703c5fc6	date:	2016-07-06T00:00:00
db:	IVD	id:	872b27f5-afcd-42a2-8289-77a1ba20e71a	date:	2016-07-06T00:00:00
db:	IVD	id:	19fe5897-0f84-413e-922a-1dae606b02b8	date:	2016-07-06T00:00:00
db:	CNVD	id:	CNVD-2016-05232	date:	2016-07-22T00:00:00
db:	CNVD	id:	CNVD-2016-04488	date:	2016-07-06T00:00:00
db:	CNVD	id:	CNVD-2016-04487	date:	2016-07-06T00:00:00
db:	CNVD	id:	CNVD-2016-04489	date:	2016-07-06T00:00:00
db:	BID	id:	91527	date:	2016-06-30T00:00:00
db:	CNNVD	id:	CNNVD-201607-513	date:	2016-06-30T00:00:00