Sign-up

ID

VAR-201706-0466


CVE

CVE-2017-6042


TITLE

Sierra Wireless AirLink Raven XE and XT Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2017-06451 // CNNVD: CNNVD-201704-1501

DESCRIPTION

A Cross-Site Request Forgery issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Affected devices do not verify if a request was intentionally sent by the logged-in user, which may allow an attacker to trick a client into making an unintentional request to the web server that will be treated as an authentic request. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. A cross-site request forgery vulnerability exists in SierraWirelessAirLinkRavenXE and XT because the program failed to verify that the request came from a logged in user. A remote attacker could exploit this vulnerability to perform unauthorized operations. Other attacks are also possible

Trust: 2.7

sources: NVD: CVE-2017-6042 // JVNDB: JVNDB-2017-005260 // CNVD: CNVD-2017-06451 // BID: 98036 // IVD: a9cdf060-16a9-4232-9523-14f306451840 // VULHUB: VHN-114245

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: a9cdf060-16a9-4232-9523-14f306451840 // CNVD: CNVD-2017-06451

AFFECTED PRODUCTS

vendor:sierramodel:airlink raven xtscope:eqversion: -

Trust: 1.6

vendor:sierramodel:airlink raven xescope:lteversion: -

Trust: 1.0

vendor:sierramodel:airlink raven xescope:ltversion:4.0.14

Trust: 0.8

vendor:sierramodel:airlink raven xtscope:ltversion:4.0.11

Trust: 0.8

vendor:sierramodel:wireless airlink raven xescope: - version: -

Trust: 0.6

vendor:sierramodel:wireless airlink raven xtscope:ltversion:4.0.11

Trust: 0.6

vendor:sierramodel:airlink raven xescope:eqversion: -

Trust: 0.6

vendor:sierramodel:wireless airlink raven xtscope:eqversion:0

Trust: 0.3

vendor:sierramodel:wireless airlink raven xescope:eqversion:0

Trust: 0.3

vendor:sierramodel:wireless airlink raven xtscope:neversion:4.0.11

Trust: 0.3

vendor:sierramodel:wireless airlink raven xescope:neversion:4.0.14

Trust: 0.3

vendor:airlink raven xemodel: - scope:eqversion:*

Trust: 0.2

vendor:airlink raven xtmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: a9cdf060-16a9-4232-9523-14f306451840 // CNVD: CNVD-2017-06451 // BID: 98036 // JVNDB: JVNDB-2017-005260 // CNNVD: CNNVD-201704-1501 // NVD: CVE-2017-6042

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-6042
value: HIGH

Trust: 1.0

NVD: CVE-2017-6042
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-06451
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201704-1501
value: HIGH

Trust: 0.6

IVD: a9cdf060-16a9-4232-9523-14f306451840
value: HIGH

Trust: 0.2

VULHUB: VHN-114245
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-6042
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-06451
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: a9cdf060-16a9-4232-9523-14f306451840
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-114245
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-6042
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: a9cdf060-16a9-4232-9523-14f306451840 // CNVD: CNVD-2017-06451 // VULHUB: VHN-114245 // JVNDB: JVNDB-2017-005260 // CNNVD: CNNVD-201704-1501 // NVD: CVE-2017-6042

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-114245 // JVNDB: JVNDB-2017-005260 // NVD: CVE-2017-6042

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-1501

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201704-1501

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-005260

PATCH
title:AirLink Raven XEurl:https://source.sierrawireless.com/devices/raven-series/raven-xe/
Trust: 0.8
title:AirLink Raven XTurl:https://source.sierrawireless.com/devices/raven-series/raven-xt/
Trust: 0.8
title:Patch for SierraWirelessAirLinkRavenXE and XT Cross-Site Request Forgery Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/93570
Trust: 0.6
title:Sierra Wireless AirLink Raven XE  and XT Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69694
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-06451 // 
            
            
            
            JVNDB: JVNDB-2017-005260 // 
            
            
            
            CNNVD: CNNVD-201704-1501

EXTERNAL IDS
db:NVDid:CVE-2017-6042
Trust: 3.6
db:ICS CERTid:ICSA-17-115-02
Trust: 2.8
db:BIDid:98036
Trust: 2.6
db:CNNVDid:CNNVD-201704-1501
Trust: 0.9
db:CNVDid:CNVD-2017-06451
Trust: 0.8
db:JVNDBid:JVNDB-2017-005260
Trust: 0.8
db:IVDid:A9CDF060-16A9-4232-9523-14F306451840
Trust: 0.2
db:VULHUBid:VHN-114245
Trust: 0.1
sources:
            
            
            IVD: a9cdf060-16a9-4232-9523-14f306451840 // 
            
            
            
            CNVD: CNVD-2017-06451 // 
            
            
            
            VULHUB: VHN-114245 // 
            
            
            
            BID: 98036 // 
            
            
            
            JVNDB: JVNDB-2017-005260 // 
            
            
            
            CNNVD: CNNVD-201704-1501 // 
            
            
            
            NVD: CVE-2017-6042

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-115-02
Trust: 2.8
url:http://www.securityfocus.com/bid/98036
Trust: 2.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6042
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-6042
Trust: 0.8
url:http://subscriber.communications.siemens.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-06451 // 
            
            
            
            VULHUB: VHN-114245 // 
            
            
            
            BID: 98036 // 
            
            
            
            JVNDB: JVNDB-2017-005260 // 
            
            
            
            CNNVD: CNNVD-201704-1501 // 
            
            
            
            NVD: CVE-2017-6042

CREDITS
Karn Ganeshen.
Trust: 0.9
sources:
            
            
            BID: 98036 // 
            
            
            
            CNNVD: CNNVD-201704-1501

SOURCES
db:IVDid:a9cdf060-16a9-4232-9523-14f306451840
db:CNVDid:CNVD-2017-06451
db:VULHUBid:VHN-114245
db:BIDid:98036
db:JVNDBid:JVNDB-2017-005260
db:CNNVDid:CNNVD-201704-1501
db:NVDid:CVE-2017-6042

LAST UPDATE DATE
2025-04-20T23:34:21.507000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-06451date:2017-05-14T00:00:00
db:VULHUBid:VHN-114245date:2019-10-09T00:00:00
db:BIDid:98036date:2017-05-02T01:09:00
db:JVNDBid:JVNDB-2017-005260date:2017-07-25T00:00:00
db:CNNVDid:CNNVD-201704-1501date:2019-10-17T00:00:00
db:NVDid:CVE-2017-6042date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:a9cdf060-16a9-4232-9523-14f306451840date:2017-05-14T00:00:00
db:CNVDid:CNVD-2017-06451date:2017-05-14T00:00:00
db:VULHUBid:VHN-114245date:2017-06-30T00:00:00
db:BIDid:98036date:2017-04-25T00:00:00
db:JVNDBid:JVNDB-2017-005260date:2017-07-25T00:00:00
db:CNNVDid:CNNVD-201704-1501date:2017-04-28T00:00:00
db:NVDid:CVE-2017-6042date:2017-06-30T03:29:00.593