Details of VAR-201702-0858

ID

VAR-201702-0858

CVE

CVE-2016-9357

TITLE

specific Eaton ePDUs Legacy products vulnerable to path traversal

Trust: 0.8

sources: JVNDB: JVNDB-2016-008007

DESCRIPTION

An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal). Eaton ePDUs EAMxxx is a rack power distribution unit module from Eaton Corporation of the United States. Multiple Eaton ePDU products are prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Remote attackers may use a specially crafted request with directory-traversal sequences ('../') to retrieve sensitive information. This may aid in further attacks. A path traversal vulnerability exists in several Eaton ePDUs

Trust: 2.7

sources: NVD: CVE-2016-9357 // JVNDB: JVNDB-2016-008007 // CNVD: CNVD-2017-02222 // BID: 95817 // IVD: 3ab40fc1-7e1a-4cd3-9854-eb10e1836be3 // VULHUB: VHN-98177

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 3ab40fc1-7e1a-4cd3-9854-eb10e1836be3 // CNVD: CNVD-2017-02222

AFFECTED PRODUCTS

vendor:	eaton	model:	eswaxx series epdu	scope:	lte	version:	01-31-2014	Trust: 1.0
vendor:	eaton	model:	eamaxx series epdu	scope:	lte	version:	01-31-2014	Trust: 1.0
vendor:	eaton	model:	emaaxx series epdu	scope:	lte	version:	01-31-2014	Trust: 1.0
vendor:	eaton	model:	emaxxx series epdu	scope:	lte	version:	01-31-2014	Trust: 1.0
vendor:	eaton	model:	eamxxx series epdu	scope:	lte	version:	06-30-2015	Trust: 1.0
vendor:	eaton	model:	epdu eamaxx series	scope:	eq	version:	2014/01/31	Trust: 0.8
vendor:	eaton	model:	epdu eamxxx series	scope:	eq	version:	2015/06/30	Trust: 0.8
vendor:	eaton	model:	epdu emaaxx series	scope:	eq	version:	2014/01/31	Trust: 0.8
vendor:	eaton	model:	epdu emaxxx series	scope:	eq	version:	2014/01/31	Trust: 0.8
vendor:	eaton	model:	epdu eswaxx series	scope:	eq	version:	2014/01/31	Trust: 0.8
vendor:	eaton	model:	epdu	scope:	-	version:	-	Trust: 0.6
vendor:	eaton	model:	eswaxx series epdu	scope:	eq	version:	01-31-2014	Trust: 0.6
vendor:	eaton	model:	eamxxx series epdu	scope:	eq	version:	06-30-2015	Trust: 0.6
vendor:	eaton	model:	emaaxx series epdu	scope:	eq	version:	01-31-2014	Trust: 0.6
vendor:	eaton	model:	eamaxx series epdu	scope:	eq	version:	01-31-2014	Trust: 0.6
vendor:	eaton	model:	emaxxx series epdu	scope:	eq	version:	01-31-2014	Trust: 0.6
vendor:	eaton	model:	epdu eswaxx	scope:	eq	version:	0	Trust: 0.3
vendor:	eaton	model:	epdu emaxxx	scope:	eq	version:	0	Trust: 0.3
vendor:	eaton	model:	epdu emaaxx	scope:	eq	version:	0	Trust: 0.3
vendor:	eaton	model:	epdu eamxxx	scope:	eq	version:	0	Trust: 0.3
vendor:	eaton	model:	epdu eamaxx	scope:	eq	version:	0	Trust: 0.3
vendor:	eamxxx series epdu	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	emaxxx series epdu	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	eamaxx series epdu	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	emaaxx series epdu	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	eswaxx series epdu	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 3ab40fc1-7e1a-4cd3-9854-eb10e1836be3 // CNVD: CNVD-2017-02222 // BID: 95817 // JVNDB: JVNDB-2016-008007 // CNNVD: CNNVD-201702-462 // NVD: CVE-2016-9357

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9357
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-9357
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-02222
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201702-462
value:	MEDIUM
Trust: 0.6
IVD:	3ab40fc1-7e1a-4cd3-9854-eb10e1836be3
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-98177
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-9357
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-02222
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	3ab40fc1-7e1a-4cd3-9854-eb10e1836be3
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-98177
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-9357
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: IVD: 3ab40fc1-7e1a-4cd3-9854-eb10e1836be3 // CNVD: CNVD-2017-02222 // VULHUB: VHN-98177 // JVNDB: JVNDB-2016-008007 // CNNVD: CNNVD-201702-462 // NVD: CVE-2016-9357

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-98177 // JVNDB: JVNDB-2016-008007 // NVD: CVE-2016-9357

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-462

TYPE

Path traversal

Trust: 0.8

sources: IVD: 3ab40fc1-7e1a-4cd3-9854-eb10e1836be3 // CNNVD: CNNVD-201702-462

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008007

PATCH

title:	Top Page	url:	http://www.eaton.com/Eaton/index.htm	Trust: 0.8
title:	Patches for multiple Eaton ePDUs path traversal vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/89870	Trust: 0.6

sources: CNVD: CNVD-2017-02222 // JVNDB: JVNDB-2016-008007

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9357	Trust: 3.6
db:	ICS CERT	id:	ICSA-17-026-01	Trust: 3.4
db:	BID	id:	95817	Trust: 1.4
db:	CNNVD	id:	CNNVD-201702-462	Trust: 0.9
db:	CNVD	id:	CNVD-2017-02222	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-008007	Trust: 0.8
db:	IVD	id:	3AB40FC1-7E1A-4CD3-9854-EB10E1836BE3	Trust: 0.2
db:	VULHUB	id:	VHN-98177	Trust: 0.1

sources: IVD: 3ab40fc1-7e1a-4cd3-9854-eb10e1836be3 // CNVD: CNVD-2017-02222 // VULHUB: VHN-98177 // BID: 95817 // JVNDB: JVNDB-2016-008007 // CNNVD: CNNVD-201702-462 // NVD: CVE-2016-9357

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-026-01	Trust: 3.4
url:	http://www.securityfocus.com/bid/95817	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9357	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-9357	Trust: 0.8
url:	http://www.eaton.com/	Trust: 0.3

sources: CNVD: CNVD-2017-02222 // VULHUB: VHN-98177 // BID: 95817 // JVNDB: JVNDB-2016-008007 // CNNVD: CNNVD-201702-462 // NVD: CVE-2016-9357

CREDITS

Maxim Rupp

Trust: 0.3

sources: BID: 95817

SOURCES

db:	IVD	id:	3ab40fc1-7e1a-4cd3-9854-eb10e1836be3
db:	CNVD	id:	CNVD-2017-02222
db:	VULHUB	id:	VHN-98177
db:	BID	id:	95817
db:	JVNDB	id:	JVNDB-2016-008007
db:	CNNVD	id:	CNNVD-201702-462
db:	NVD	id:	CVE-2016-9357

LAST UPDATE DATE

2025-04-20T23:22:30.306000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-02222	date:	2017-03-01T00:00:00
db:	VULHUB	id:	VHN-98177	date:	2017-03-16T00:00:00
db:	BID	id:	95817	date:	2017-02-02T00:05:00
db:	JVNDB	id:	JVNDB-2016-008007	date:	2017-04-06T00:00:00
db:	CNNVD	id:	CNNVD-201702-462	date:	2017-02-20T00:00:00
db:	NVD	id:	CVE-2016-9357	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	3ab40fc1-7e1a-4cd3-9854-eb10e1836be3	date:	2017-03-01T00:00:00
db:	CNVD	id:	CNVD-2017-02222	date:	2017-03-01T00:00:00
db:	VULHUB	id:	VHN-98177	date:	2017-02-13T00:00:00
db:	BID	id:	95817	date:	2017-01-26T00:00:00
db:	JVNDB	id:	JVNDB-2016-008007	date:	2017-04-06T00:00:00
db:	CNNVD	id:	CNNVD-201702-462	date:	2017-02-15T00:00:00
db:	NVD	id:	CVE-2016-9357	date:	2017-02-13T21:59:02.017