Sign-up

ID

VAR-201708-1118


CVE

CVE-2017-12703


TITLE

plural Westermo Product cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-007294

DESCRIPTION

A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server. plural Westermo The product contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. A number of Westermo routers have a hard-coded password vulnerability, and the device uses a hard-coded private key that allows an attacker to decrypt traffic from any other source. The RD-305-DIN, MRD-315, MRD-355, and MRD-455 are all Westermo router devices. A number of Westermo routers have spoofing vulnerabilities. A hard-coded credentials vulnerability 2. A cross-site request forgery vulnerability 3. A hard-coded cryptographic key vulnerability Attackers can exploit these issues to bypass authentication mechanisms, to perform unauthorized actions and gain access to the affected application and to read and modify intercepted traffic. Westermo MRD-305-DIN etc. A remote attacker could exploit this vulnerability to perform unauthorized operations. The following products and versions are affected: Westermo MRD-305-DIN prior to 1.7.5.0, MRD-315 prior to 1.7.5.0, MRD-355 prior to 1.7.5.0, MRD-455 prior to 1.7.5.0

Trust: 3.24

sources: NVD: CVE-2017-12703 // JVNDB: JVNDB-2017-007294 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23004 // BID: 100470 // IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39 // VULHUB: VHN-103252

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 1.2

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23004

AFFECTED PRODUCTS

vendor:westermomodel:mrd-315-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-305-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-455-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-355-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-305-dinscope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-315scope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-355scope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-455scope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-305-dinscope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-315scope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-355scope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-455scope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-455scope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-355scope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-315scope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-305-dinscope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-455scope:neversion:1.7.7.0

Trust: 0.3

vendor:westermomodel:mrd-355scope:neversion:1.7.7.0

Trust: 0.3

vendor:westermomodel:mrd-315scope:neversion:1.7.7.0

Trust: 0.3

vendor:westermomodel:mrd-305-dinscope:neversion:1.7.7.0

Trust: 0.3

vendor:mrd 305 dinmodel: - scope:eqversion: -

Trust: 0.2

vendor:mrd 315 dinmodel: - scope:eqversion: -

Trust: 0.2

vendor:mrd 355 dinmodel: - scope:eqversion: -

Trust: 0.2

vendor:mrd 455 dinmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23004 // BID: 100470 // JVNDB: JVNDB-2017-007294 // CNNVD: CNNVD-201708-1141 // NVD: CVE-2017-12703

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12703
value: HIGH

Trust: 1.0

NVD: CVE-2017-12703
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-23002
value: HIGH

Trust: 0.6

CNVD: CNVD-2017-23004
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201708-1141
value: MEDIUM

Trust: 0.6

IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39
value: MEDIUM

Trust: 0.2

VULHUB: VHN-103252
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-12703
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-23002
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2017-23004
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-103252
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12703
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23004 // VULHUB: VHN-103252 // JVNDB: JVNDB-2017-007294 // CNNVD: CNNVD-201708-1141 // NVD: CVE-2017-12703

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-103252 // JVNDB: JVNDB-2017-007294 // NVD: CVE-2017-12703

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201708-1141

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201708-1141

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007294

PATCH
title:Wireless routersurl:http://www.westermo.us/web/web_en_idc_us.nsf/AllDocuments/B84901DE5CC4368DC12578930031F1BC
Trust: 0.8
title:Patches for several Westermo router hardcoded password vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/100885
Trust: 0.6
title:Patches for multiple Westermo router spoofing vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/100887
Trust: 0.6
title:Multiple Westermo Fixing measures for device cross-site request forgery vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74299
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-23002 // 
            
            
            
            CNVD: CNVD-2017-23004 // 
            
            
            
            JVNDB: JVNDB-2017-007294 // 
            
            
            
            CNNVD: CNNVD-201708-1141

EXTERNAL IDS
db:ICS CERTid:ICSA-17-236-01
Trust: 4.0
db:NVDid:CVE-2017-12703
Trust: 3.6
db:BIDid:100470
Trust: 3.2
db:CNNVDid:CNNVD-201708-1141
Trust: 0.9
db:CNVDid:CNVD-2017-23004
Trust: 0.8
db:JVNDBid:JVNDB-2017-007294
Trust: 0.8
db:CNVDid:CNVD-2017-23002
Trust: 0.6
db:IVDid:471C06F6-CD0E-48EC-8EE9-AEA833E36D39
Trust: 0.2
db:VULHUBid:VHN-103252
Trust: 0.1
sources:
            
            
            IVD: 471c06f6-cd0e-48ec-8ee9-aea833e36d39 // 
            
            
            
            CNVD: CNVD-2017-23002 // 
            
            
            
            CNVD: CNVD-2017-23004 // 
            
            
            
            VULHUB: VHN-103252 // 
            
            
            
            BID: 100470 // 
            
            
            
            JVNDB: JVNDB-2017-007294 // 
            
            
            
            CNNVD: CNNVD-201708-1141 // 
            
            
            
            NVD: CVE-2017-12703

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-236-01
Trust: 4.0
url:http://www.securityfocus.com/bid/100470
Trust: 2.9
url:http://www.westermo.com/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12703
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12703
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2017-23002 // 
            
            
            
            CNVD: CNVD-2017-23004 // 
            
            
            
            VULHUB: VHN-103252 // 
            
            
            
            BID: 100470 // 
            
            
            
            JVNDB: JVNDB-2017-007294 // 
            
            
            
            CNNVD: CNNVD-201708-1141 // 
            
            
            
            NVD: CVE-2017-12703

CREDITS
Mandar Jadhav from Qualys Security
Trust: 0.9
sources:
            
            
            BID: 100470 // 
            
            
            
            CNNVD: CNNVD-201708-1141

SOURCES
db:IVDid:471c06f6-cd0e-48ec-8ee9-aea833e36d39
db:CNVDid:CNVD-2017-23002
db:CNVDid:CNVD-2017-23004
db:VULHUBid:VHN-103252
db:BIDid:100470
db:JVNDBid:JVNDB-2017-007294
db:CNNVDid:CNNVD-201708-1141
db:NVDid:CVE-2017-12703

LAST UPDATE DATE
2025-04-20T23:12:41.016000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-23002date:2017-08-26T00:00:00
db:CNVDid:CNVD-2017-23004date:2017-08-26T00:00:00
db:VULHUBid:VHN-103252date:2017-08-29T00:00:00
db:BIDid:100470date:2019-04-15T18:00:00
db:JVNDBid:JVNDB-2017-007294date:2017-09-15T00:00:00
db:CNNVDid:CNNVD-201708-1141date:2019-04-16T00:00:00
db:NVDid:CVE-2017-12703date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:471c06f6-cd0e-48ec-8ee9-aea833e36d39date:2017-08-26T00:00:00
db:CNVDid:CNVD-2017-23002date:2017-08-26T00:00:00
db:CNVDid:CNVD-2017-23004date:2017-08-26T00:00:00
db:VULHUBid:VHN-103252date:2017-08-25T00:00:00
db:BIDid:100470date:2017-08-24T00:00:00
db:JVNDBid:JVNDB-2017-007294date:2017-09-15T00:00:00
db:CNNVDid:CNNVD-201708-1141date:2017-08-28T00:00:00
db:NVDid:CVE-2017-12703date:2017-08-25T16:29:00.237