Details of VAR-201706-0468

ID

VAR-201706-0468

CVE

CVE-2017-6044

TITLE

Sierra Wireless AirLink Raven XE and XT Vulnerabilities related to lack of authentication for critical functions

Trust: 0.8

sources: JVNDB: JVNDB-2017-005261

DESCRIPTION

An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot. SierraWirelessAirLinkRavenXE and XT are wireless gateway products from Sierra Wireless, Canada. A successful exploit may allow an attacker to obtain sensitive information, and perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible

Trust: 2.79

sources: NVD: CVE-2017-6044 // JVNDB: JVNDB-2017-005261 // CNVD: CNVD-2017-06884 // BID: 98036 // IVD: 353aa0fb-843c-42d0-a916-bb2cfdc511a0 // VULHUB: VHN-114247 // VULMON: CVE-2017-6044

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 353aa0fb-843c-42d0-a916-bb2cfdc511a0 // CNVD: CNVD-2017-06884

AFFECTED PRODUCTS

vendor:	sierra	model:	airlink raven xt	scope:	eq	version:	-	Trust: 1.6
vendor:	sierra	model:	airlink raven xe	scope:	lte	version:	-	Trust: 1.0
vendor:	sierra	model:	wireless airlink raven xt	scope:	eq	version:	0	Trust: 0.9
vendor:	sierra	model:	wireless airlink raven xe	scope:	eq	version:	0	Trust: 0.9
vendor:	sierra	model:	airlink raven xe	scope:	lt	version:	4.0.14	Trust: 0.8
vendor:	sierra	model:	airlink raven xt	scope:	lt	version:	4.0.11	Trust: 0.8
vendor:	sierra	model:	airlink raven xe	scope:	eq	version:	-	Trust: 0.6
vendor:	sierra	model:	wireless airlink raven xt	scope:	ne	version:	4.0.11	Trust: 0.3
vendor:	sierra	model:	wireless airlink raven xe	scope:	ne	version:	4.0.14	Trust: 0.3
vendor:	airlink raven xe	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	airlink raven xt	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: 353aa0fb-843c-42d0-a916-bb2cfdc511a0 // CNVD: CNVD-2017-06884 // BID: 98036 // JVNDB: JVNDB-2017-005261 // CNNVD: CNNVD-201704-1500 // NVD: CVE-2017-6044

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6044
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-6044
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-06884
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201704-1500
value:	CRITICAL
Trust: 0.6
IVD:	353aa0fb-843c-42d0-a916-bb2cfdc511a0
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-114247
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-6044
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-6044
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-06884
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	353aa0fb-843c-42d0-a916-bb2cfdc511a0
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-114247
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6044
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: IVD: 353aa0fb-843c-42d0-a916-bb2cfdc511a0 // CNVD: CNVD-2017-06884 // VULHUB: VHN-114247 // VULMON: CVE-2017-6044 // JVNDB: JVNDB-2017-005261 // CNNVD: CNNVD-201704-1500 // NVD: CVE-2017-6044

PROBLEMTYPE DATA

problemtype:	CWE-306	Trust: 1.9
problemtype:	CWE-285	Trust: 1.0

sources: VULHUB: VHN-114247 // JVNDB: JVNDB-2017-005261 // NVD: CVE-2017-6044

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-1500

TYPE

Access control error

Trust: 0.8

sources: IVD: 353aa0fb-843c-42d0-a916-bb2cfdc511a0 // CNNVD: CNNVD-201704-1500

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-005261

PATCH

title:	AirLink Raven XE	url:	https://source.sierrawireless.com/devices/raven-series/raven-xe/	Trust: 0.8
title:	AirLink Raven XT	url:	https://source.sierrawireless.com/devices/raven-series/raven-xt/	Trust: 0.8
title:	Patch for SierraWirelessAirLinkRavenXE and XT File Download Vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/93893	Trust: 0.6
title:	Sierra Wireless AirLink Raven XE and XT Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69693	Trust: 0.6

sources: CNVD: CNVD-2017-06884 // JVNDB: JVNDB-2017-005261 // CNNVD: CNNVD-201704-1500

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6044	Trust: 3.7
db:	ICS CERT	id:	ICSA-17-115-02	Trust: 2.9
db:	BID	id:	98036	Trust: 2.7
db:	CNNVD	id:	CNNVD-201704-1500	Trust: 0.9
db:	CNVD	id:	CNVD-2017-06884	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-005261	Trust: 0.8
db:	IVD	id:	353AA0FB-843C-42D0-A916-BB2CFDC511A0	Trust: 0.2
db:	VULHUB	id:	VHN-114247	Trust: 0.1
db:	VULMON	id:	CVE-2017-6044	Trust: 0.1

sources: IVD: 353aa0fb-843c-42d0-a916-bb2cfdc511a0 // CNVD: CNVD-2017-06884 // VULHUB: VHN-114247 // VULMON: CVE-2017-6044 // BID: 98036 // JVNDB: JVNDB-2017-005261 // CNNVD: CNNVD-201704-1500 // NVD: CVE-2017-6044

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-115-02	Trust: 3.0
url:	http://www.securityfocus.com/bid/98036	Trust: 2.5
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6044	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6044	Trust: 0.8
url:	http://subscriber.communications.siemens.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/306.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-06884 // VULHUB: VHN-114247 // VULMON: CVE-2017-6044 // BID: 98036 // JVNDB: JVNDB-2017-005261 // CNNVD: CNNVD-201704-1500 // NVD: CVE-2017-6044

CREDITS

Karn Ganeshen.

Trust: 0.9

sources: BID: 98036 // CNNVD: CNNVD-201704-1500

SOURCES

db:	IVD	id:	353aa0fb-843c-42d0-a916-bb2cfdc511a0
db:	CNVD	id:	CNVD-2017-06884
db:	VULHUB	id:	VHN-114247
db:	VULMON	id:	CVE-2017-6044
db:	BID	id:	98036
db:	JVNDB	id:	JVNDB-2017-005261
db:	CNNVD	id:	CNNVD-201704-1500
db:	NVD	id:	CVE-2017-6044

LAST UPDATE DATE

2025-04-20T23:34:21.465000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-06884	date:	2017-05-18T00:00:00
db:	VULHUB	id:	VHN-114247	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2017-6044	date:	2019-10-09T00:00:00
db:	BID	id:	98036	date:	2017-05-02T01:09:00
db:	JVNDB	id:	JVNDB-2017-005261	date:	2017-07-25T00:00:00
db:	CNNVD	id:	CNNVD-201704-1500	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-6044	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	353aa0fb-843c-42d0-a916-bb2cfdc511a0	date:	2017-05-18T00:00:00
db:	CNVD	id:	CNVD-2017-06884	date:	2017-05-18T00:00:00
db:	VULHUB	id:	VHN-114247	date:	2017-06-30T00:00:00
db:	VULMON	id:	CVE-2017-6044	date:	2017-06-30T00:00:00
db:	BID	id:	98036	date:	2017-04-25T00:00:00
db:	JVNDB	id:	JVNDB-2017-005261	date:	2017-07-25T00:00:00
db:	CNNVD	id:	CNNVD-201704-1500	date:	2017-04-28T00:00:00
db:	NVD	id:	CVE-2017-6044	date:	2017-06-30T03:29:00.627