Details of VAR-201709-0394

ID

VAR-201709-0394

CVE

CVE-2017-14263

TITLE

Honeywell NVR Vulnerabilities related to authorization, authority, and access control in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-007939

DESCRIPTION

Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. Honeywell NVR Devices have vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell NVRdevices is a network video recorder device from Honeywell. There is a security hole in the Honeywell NVR device

Trust: 2.25

sources: NVD: CVE-2017-14263 // JVNDB: JVNDB-2017-007939 // CNVD: CNVD-2017-33218 // VULHUB: VHN-104968

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-33218

AFFECTED PRODUCTS

vendor:	honeywell	model:	maxpro nvr hybrid xe	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	maxpro nvr pe	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	maxpro nvr se	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	maxpro nvr hybrid se	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	enterprise dvr	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	maxpro nvr xe	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	fusion iv rev c	scope:	eq	version:	-	Trust: 1.6
vendor:	honeywell	model:	enterprise dvr	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	fusion iv rev c	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	maxpro nvr hybrid se	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	maxpro nvr hybrid xe	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	maxpro nvr pe	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	maxpro nvr se	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	maxpro nvr xe	scope:	-	version:	-	Trust: 0.8
vendor:	honeywell	model:	nvr devices	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2017-33218 // JVNDB: JVNDB-2017-007939 // CNNVD: CNNVD-201709-424 // NVD: CVE-2017-14263

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-14263
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-14263
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-33218
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201709-424
value:	HIGH
Trust: 0.6
VULHUB:	VHN-104968
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-14263
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-33218
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-104968
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-14263
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-33218 // VULHUB: VHN-104968 // JVNDB: JVNDB-2017-007939 // CNNVD: CNNVD-201709-424 // NVD: CVE-2017-14263

PROBLEMTYPE DATA

problemtype:	CWE-384	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-104968 // JVNDB: JVNDB-2017-007939 // NVD: CVE-2017-14263

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201709-424

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201709-424

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007939

PATCH

title:

NVR/Hybrid

url:

https://www.honeywellvideo.com/products/video-systems/recording-devices/nvr/

Trust: 0.8

sources: JVNDB: JVNDB-2017-007939

EXTERNAL IDS

db:	NVD	id:	CVE-2017-14263	Trust: 3.1
db:	JVNDB	id:	JVNDB-2017-007939	Trust: 0.8
db:	CNNVD	id:	CNNVD-201709-424	Trust: 0.7
db:	CNVD	id:	CNVD-2017-33218	Trust: 0.6
db:	VULHUB	id:	VHN-104968	Trust: 0.1

sources: CNVD: CNVD-2017-33218 // VULHUB: VHN-104968 // JVNDB: JVNDB-2017-007939 // CNNVD: CNNVD-201709-424 // NVD: CVE-2017-14263

REFERENCES

url:	https://github.com/zzz66686/honeywell_nvr_vul	Trust: 3.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14263	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-14263	Trust: 0.8

sources: CNVD: CNVD-2017-33218 // VULHUB: VHN-104968 // JVNDB: JVNDB-2017-007939 // CNNVD: CNNVD-201709-424 // NVD: CVE-2017-14263

SOURCES

db:	CNVD	id:	CNVD-2017-33218
db:	VULHUB	id:	VHN-104968
db:	JVNDB	id:	JVNDB-2017-007939
db:	CNNVD	id:	CNNVD-201709-424
db:	NVD	id:	CVE-2017-14263

LAST UPDATE DATE

2025-04-20T23:36:47.391000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-33218	date:	2017-11-09T00:00:00
db:	VULHUB	id:	VHN-104968	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2017-007939	date:	2017-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201709-424	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-14263	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-33218	date:	2017-11-09T00:00:00
db:	VULHUB	id:	VHN-104968	date:	2017-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2017-007939	date:	2017-10-04T00:00:00
db:	CNNVD	id:	CNNVD-201709-424	date:	2017-09-12T00:00:00
db:	NVD	id:	CVE-2017-14263	date:	2017-09-11T09:29:00.717