Sign-up

ID

VAR-201707-0329


CVE

CVE-2017-2237


TITLE

OS command injection vulnerability in Toshiba Lighting & Technology Corporation Home gateway

Trust: 0.8

sources: JVNDB: JVNDB-2017-000150

DESCRIPTION

Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier. Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors. Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary OS command may be executed on the device. There is an operating system command injection vulnerability in TOSHIBAHomeGatewayHEM-GW26A using HEM-GW26A-FW-V1.2.0 and previous firmware and TOSHIBAHomeGatewayHEM-GW16A using HEM-GW16A-FW-V1.2.0 and previous firmware. An attacker could exploit this vulnerability to execute arbitrary operating system commands. Failed exploit attempts will result in a denial-of-service condition

Trust: 2.52

sources: NVD: CVE-2017-2237 // JVNDB: JVNDB-2017-000150 // CNVD: CNVD-2017-12981 // BID: 101047 // VULHUB: VHN-110440

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

category:['network device']sub_category:gateway

Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2017-12981

AFFECTED PRODUCTS

vendor:toshibamodel:hem-gw16ascope:lteversion:1.2.0

Trust: 1.0

vendor:toshibamodel:hem-gw26ascope:lteversion:1.2.0

Trust: 1.0

vendor:toshiba lightingmodel:home gateway hem-gw16ascope:lteversion:firmware hem-gw16a-fw-v1.2.0

Trust: 0.8

vendor:toshiba lightingmodel:home gateway hem-gw26ascope:lteversion:firmware hem-gw26a-fw-v1.2.0

Trust: 0.8

vendor:toshibamodel:home gateway hem-gw26a <=hem-gw26a-fw-v1.2.0scope: - version: -

Trust: 0.6

vendor:toshibamodel:home gateway hem-gw16a <=hem-gw16a-fw-v1.2.0scope: - version: -

Trust: 0.6

vendor:toshibamodel:hem-gw16ascope:eqversion:1.2.0

Trust: 0.6

vendor:toshibamodel:hem-gw26ascope:eqversion:1.2.0

Trust: 0.6

vendor:toshibamodel:home gateway hem-gw26a hem-gw26a-fw-v1.2.0scope: - version: -

Trust: 0.3

vendor:toshibamodel:home gateway hem-gw16a hem-gw16a-fw-v1.2.0scope: - version: -

Trust: 0.3

sources: CNVD: CNVD-2017-12981 // BID: 101047 // JVNDB: JVNDB-2017-000150 // CNNVD: CNNVD-201706-1246 // NVD: CVE-2017-2237

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2237
value: CRITICAL

Trust: 1.0

IPA: JVNDB-2017-000150
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-12981
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-1246
value: CRITICAL

Trust: 0.6

VULHUB: VHN-110440
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-2237
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000150
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-12981
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-110440
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2237
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000150
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-12981 // VULHUB: VHN-110440 // JVNDB: JVNDB-2017-000150 // CNNVD: CNNVD-201706-1246 // NVD: CVE-2017-2237

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-110440 // JVNDB: JVNDB-2017-000150 // NVD: CVE-2017-2237

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-1246

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201706-1246

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000150

PATCH
title:Toshiba Lighting & Technology Corporation websiteurl:http://www.tlt.co.jp/tlt/information/seihin/notice/defect/20170626/20170626.htm
Trust: 0.8
title:ToshibaHomegatewayHEM-GW16A firmware OS command injection vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/97435
Trust: 0.6
title:TOSHIBA Home gateway HEM-GW26A  and HEM-GW16A Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71381
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-12981 // 
            
            
            
            JVNDB: JVNDB-2017-000150 // 
            
            
            
            CNNVD: CNNVD-201706-1246

EXTERNAL IDS
db:NVDid:CVE-2017-2237
Trust: 3.5
db:JVNid:JVN85901441
Trust: 3.4
db:JVNDBid:JVNDB-2017-000150
Trust: 1.4
db:CNNVDid:CNNVD-201706-1246
Trust: 0.7
db:CNVDid:CNVD-2017-12981
Trust: 0.6
db:BIDid:101047
Trust: 0.4
db:OTHERid:NONE
Trust: 0.1
db:VULHUBid:VHN-110440
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CNVD: CNVD-2017-12981 // 
            
            
            
            VULHUB: VHN-110440 // 
            
            
            
            BID: 101047 // 
            
            
            
            JVNDB: JVNDB-2017-000150 // 
            
            
            
            CNNVD: CNNVD-201706-1246 // 
            
            
            
            NVD: CVE-2017-2237

REFERENCES
url:http://jvn.jp/en/jp/jvn85901441/index.html
Trust: 2.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2237
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2237
Trust: 0.8
url:http://jvn.jp/en/jp/jvn85901441/
Trust: 0.6
url:http://jvndb.jvn.jp/en/contents/2017/jvndb-2017-000150.html
Trust: 0.6
url:http://www.toshiba.com/
Trust: 0.3
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CNVD: CNVD-2017-12981 // 
            
            
            
            VULHUB: VHN-110440 // 
            
            
            
            BID: 101047 // 
            
            
            
            JVNDB: JVNDB-2017-000150 // 
            
            
            
            CNNVD: CNNVD-201706-1246 // 
            
            
            
            NVD: CVE-2017-2237

CREDITS
Yutaka Kokubu of Mitsui Bussan Secure Directions, Inc.
Trust: 0.9
sources:
            
            
            BID: 101047 // 
            
            
            
            CNNVD: CNNVD-201706-1246

SOURCES
db:OTHERid: - 
db:CNVDid:CNVD-2017-12981
db:VULHUBid:VHN-110440
db:BIDid:101047
db:JVNDBid:JVNDB-2017-000150
db:CNNVDid:CNNVD-201706-1246
db:NVDid:CVE-2017-2237

LAST UPDATE DATE
2025-04-20T20:50:01.293000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-12981date:2017-07-06T00:00:00
db:VULHUBid:VHN-110440date:2017-07-14T00:00:00
db:BIDid:101047date:2017-07-07T00:00:00
db:JVNDBid:JVNDB-2017-000150date:2018-02-14T00:00:00
db:CNNVDid:CNNVD-201706-1246date:2017-07-10T00:00:00
db:NVDid:CVE-2017-2237date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-12981date:2017-07-06T00:00:00
db:VULHUBid:VHN-110440date:2017-07-07T00:00:00
db:BIDid:101047date:2017-07-07T00:00:00
db:JVNDBid:JVNDB-2017-000150date:2017-06-28T00:00:00
db:CNNVDid:CNNVD-201706-1246date:2017-06-27T00:00:00
db:NVDid:CVE-2017-2237date:2017-07-07T13:29:01.303