Details of VAR-201707-1213

ID

VAR-201707-1213

CVE

CVE-2017-7726

TITLE

iSmartAlarm cube Device certificate validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-005527

DESCRIPTION

iSmartAlarm cube devices have an SSL Certificate Validation Vulnerability. iSmartAlarmcubedevices is a smart home device from iSmartAlarm. An information disclosure vulnerability exists in the iSmartAlarmcube device. A remote attack can exploit this vulnerability to obtain arbitrary passwords or personal data. [+] Credits: Ilia Shnaidman [+] Source: http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/ Vendor: ============= iSmartAlarm, inc. Product: =========================== iSmartAlarm cube - All versions iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems. It provides a fully integrated alarm system with siren, smart cameras and locks. It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone, offering you full remote control via mobile app wherever you are. Attack Vectors: ================ An attacker can get any password/personal data by setting man in the middle sniffer attack with a fake certificate on port 8443. Network Access: =============== Remote Severity: ========= High Disclosure Timeline: ===================================== Jan 30, 2017: Initial contact to vendor Feb 1, 2017: Vendor replied, requesting details Feb 2, 2017: Disclosure to vendor Apr 12, 2017: After vendor didn't replied, I've approached CERT Apr 13, 2017: Confirmed receipt by CERT and assigning CVEs July 05, 2017: Public disclosure

Trust: 2.43

sources: NVD: CVE-2017-7726 // JVNDB: JVNDB-2017-005527 // CNVD: CNVD-2017-32131 // VULHUB: VHN-115929 // VULMON: CVE-2017-7726 // PACKETSTORM: 143343

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-32131

AFFECTED PRODUCTS

vendor:	ismartalarm	model:	cubeone	scope:	eq	version:	-	Trust: 1.0
vendor:	ismart alarm	model:	cubeone	scope:	-	version:	-	Trust: 0.8
vendor:	ismartalarm	model:	cube devices	scope:	-	version:	-	Trust: 0.6
vendor:	ismartalarm	model:	cube one	scope:	eq	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-32131 // JVNDB: JVNDB-2017-005527 // CNNVD: CNNVD-201707-556 // NVD: CVE-2017-7726

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-7726
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-7726
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-32131
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201707-556
value:	HIGH
Trust: 0.6
VULHUB:	VHN-115929
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-7726
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-7726
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-32131
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-115929
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-7726
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2017-7726
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2017-32131 // VULHUB: VHN-115929 // VULMON: CVE-2017-7726 // JVNDB: JVNDB-2017-005527 // CNNVD: CNNVD-201707-556 // NVD: CVE-2017-7726

PROBLEMTYPE DATA

problemtype:

CWE-295

Trust: 1.9

sources: VULHUB: VHN-115929 // JVNDB: JVNDB-2017-005527 // NVD: CVE-2017-7726

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-556

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201707-556

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-005527

PATCH

title:

CubeOne

url:

https://www.ismartalarm.com/p/ISA00011/cubeone

Trust: 0.8

sources: JVNDB: JVNDB-2017-005527

EXTERNAL IDS

db:	NVD	id:	CVE-2017-7726	Trust: 3.3
db:	JVNDB	id:	JVNDB-2017-005527	Trust: 0.8
db:	CNNVD	id:	CNNVD-201707-556	Trust: 0.7
db:	CNVD	id:	CNVD-2017-32131	Trust: 0.6
db:	PACKETSTORM	id:	143343	Trust: 0.2
db:	VULHUB	id:	VHN-115929	Trust: 0.1
db:	PACKETSTORM	id:	143368	Trust: 0.1
db:	VULMON	id:	CVE-2017-7726	Trust: 0.1

sources: CNVD: CNVD-2017-32131 // VULHUB: VHN-115929 // VULMON: CVE-2017-7726 // JVNDB: JVNDB-2017-005527 // PACKETSTORM: 143343 // CNNVD: CNNVD-201707-556 // NVD: CVE-2017-7726

REFERENCES

url:	http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/	Trust: 2.7
url:	https://nvd.nist.gov/vuln/detail/cve-2017-7726	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7726	Trust: 0.8
url:	https://www.ismartalarm.com/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/295.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://packetstormsecurity.com/files/143368/ismartalarm-cubeone-remote-command-execution.html	Trust: 0.1

CREDITS

Ilia Shnaidman

Trust: 0.1

sources: PACKETSTORM: 143343

SOURCES

db:	CNVD	id:	CNVD-2017-32131
db:	VULHUB	id:	VHN-115929
db:	VULMON	id:	CVE-2017-7726
db:	JVNDB	id:	JVNDB-2017-005527
db:	PACKETSTORM	id:	143343
db:	CNNVD	id:	CNNVD-201707-556
db:	NVD	id:	CVE-2017-7726

LAST UPDATE DATE

2025-04-20T23:30:54.292000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-32131	date:	2017-10-31T00:00:00
db:	VULHUB	id:	VHN-115929	date:	2017-07-13T00:00:00
db:	VULMON	id:	CVE-2017-7726	date:	2017-07-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-005527	date:	2017-07-31T00:00:00
db:	CNNVD	id:	CNNVD-201707-556	date:	2021-08-26T00:00:00
db:	NVD	id:	CVE-2017-7726	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-32131	date:	2017-10-31T00:00:00
db:	VULHUB	id:	VHN-115929	date:	2017-07-11T00:00:00
db:	VULMON	id:	CVE-2017-7726	date:	2017-07-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-005527	date:	2017-07-31T00:00:00
db:	PACKETSTORM	id:	143343	date:	2017-07-12T20:22:22
db:	CNNVD	id:	CNNVD-201707-556	date:	2017-07-11T00:00:00
db:	NVD	id:	CVE-2017-7726	date:	2017-07-11T17:29:00.223