Sign-up

ID

VAR-201712-0032


CVE

CVE-2014-8389


TITLE

plural AirLive In product firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-008454

DESCRIPTION

cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests. plural AirLive Product firmware includes OS A command injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. OvisLink Airlive IP Cameras WL-2000CAM and Airlive IP Cameras POE-200CAM are OvisLink's network camera products. Operating system command injection vulnerability exists in the /cgi-bin/mft/wireless_mft.cgi binary of OvisLink AirLive IP Cameras WL-2000CAM and Airlive IP Cameras POE-200CAM. The attacker can use the hard-coded certificate in the configuration file of the Boa Web server to use the vulnerability to decode the certificate and obtain access rights to the device. Multiple AirLive Products are prone to multiple OS command-injection vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary OS commands in the context of the affected application. The following versions and products are affected: AirLive BU-2015 with firmware version 1.03.18 16.06.2014; AirLive BU-3026 with firmware version 1.43 21.08.2014; AirLive MD-3025 with firmware version 1.81 21.08.2014; .1.6.18 AirLive WL-2000CAM with firmware version 14.10.2011; AirLive POE-200CAM v2 with firmware version LM.1.6.17.01

Trust: 2.61

sources: NVD: CVE-2014-8389 // JVNDB: JVNDB-2014-008454 // CNVD: CNVD-2015-04485 // BID: 75559 // VULHUB: VHN-76334 // VULMON: CVE-2014-8389

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-04485

AFFECTED PRODUCTS

vendor:airlivemodel:poe-200cam v2scope:eqversion:lm.1.6.17.01

Trust: 1.6

vendor:airlivemodel:wl-2000camscope:eqversion:lm.1.6.18_14.10.2011

Trust: 1.6

vendor:airlivemodel:md-3025scope:eqversion:1.81_21.08.2014

Trust: 1.6

vendor:airlivemodel:bu-2015scope:eqversion:1.03.18_16.06.2014

Trust: 1.6

vendor:airlivemodel:bu-3026scope:eqversion:1.43_21.08.2014

Trust: 1.6

vendor:ovislink corpmodel:airlive bu-2015scope:eqversion:1.03.18 16.06.2014

Trust: 0.8

vendor:ovislink corpmodel:airlive bu-3026scope:eqversion:1.43 21.08.2014

Trust: 0.8

vendor:ovislink corpmodel:airlive md-3025scope:eqversion:1.81 21.08.2014

Trust: 0.8

vendor:ovislink corpmodel:airlive poe-200camv2scope:eqversion:lm.1.6.17.01

Trust: 0.8

vendor:ovislink corpmodel:airlive wl-2000camscope:eqversion:lm.1.6.18 14.10.2011

Trust: 0.8

vendor:ovislinkmodel:airlive ip cameras wl-2000cam/airlive ip cameras poe-200camscope: - version: -

Trust: 0.6

vendor:airlivemodel:wl-2000cam lm.1.6.18.14.10.2011scope: - version: -

Trust: 0.3

vendor:airlivemodel:poe-200cam lm.1.6.17.01scope:eqversion:v2

Trust: 0.3

vendor:airlivemodel:md-3025scope:eqversion:1.81.21.08.2014

Trust: 0.3

vendor:airlivemodel:bu-3026scope:eqversion:1.43.21.08.2014

Trust: 0.3

vendor:airlivemodel:bu-2015scope:eqversion:1.03.18.16.06.2014

Trust: 0.3

sources: CNVD: CNVD-2015-04485 // BID: 75559 // JVNDB: JVNDB-2014-008454 // CNNVD: CNNVD-201507-354 // NVD: CVE-2014-8389

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8389
value: CRITICAL

Trust: 1.0

NVD: CVE-2014-8389
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2015-04485
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201507-354
value: CRITICAL

Trust: 0.6

VULHUB: VHN-76334
value: HIGH

Trust: 0.1

VULMON: CVE-2014-8389
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8389
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2015-04485
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-76334
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2014-8389
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2015-04485 // VULHUB: VHN-76334 // VULMON: CVE-2014-8389 // JVNDB: JVNDB-2014-008454 // CNNVD: CNNVD-201507-354 // NVD: CVE-2014-8389

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-76334 // JVNDB: JVNDB-2014-008454 // NVD: CVE-2014-8389

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-354

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201507-354

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008454

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-76334

PATCH
title:Top Pageurl:http://www.airlive.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-008454

EXTERNAL IDS
db:NVDid:CVE-2014-8389
Trust: 3.5
db:BIDid:75559
Trust: 2.7
db:PACKETSTORMid:132585
Trust: 1.8
db:JVNDBid:JVNDB-2014-008454
Trust: 0.8
db:CNNVDid:CNNVD-201507-354
Trust: 0.7
db:CNVDid:CNVD-2015-04485
Trust: 0.6
db:VULHUBid:VHN-76334
Trust: 0.1
db:VULMONid:CVE-2014-8389
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-04485 // 
            
            
            
            VULHUB: VHN-76334 // 
            
            
            
            VULMON: CVE-2014-8389 // 
            
            
            
            BID: 75559 // 
            
            
            
            JVNDB: JVNDB-2014-008454 // 
            
            
            
            CNNVD: CNNVD-201507-354 // 
            
            
            
            NVD: CVE-2014-8389

REFERENCES
url:https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection
Trust: 2.9
url:http://www.securityfocus.com/bid/75559
Trust: 2.5
url:http://packetstormsecurity.com/files/132585/airlive-remote-command-injection.html
Trust: 1.9
url:http://seclists.org/fulldisclosure/2015/jul/29
Trust: 1.8
url:http://www.securityfocus.com/archive/1/535938/100/0/threaded
Trust: 1.2
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8389
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2014-8389
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/535938/100/0/threaded
Trust: 0.6
url:http://www.airlive.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-04485 // 
            
            
            
            VULHUB: VHN-76334 // 
            
            
            
            VULMON: CVE-2014-8389 // 
            
            
            
            BID: 75559 // 
            
            
            
            JVNDB: JVNDB-2014-008454 // 
            
            
            
            CNNVD: CNNVD-201507-354 // 
            
            
            
            NVD: CVE-2014-8389

CREDITS
Nahuel Riva from Core Security Exploit Writing Team
Trust: 0.9
sources:
            
            
            BID: 75559 // 
            
            
            
            CNNVD: CNNVD-201507-354

SOURCES
db:CNVDid:CNVD-2015-04485
db:VULHUBid:VHN-76334
db:VULMONid:CVE-2014-8389
db:BIDid:75559
db:JVNDBid:JVNDB-2014-008454
db:CNNVDid:CNNVD-201507-354
db:NVDid:CVE-2014-8389

LAST UPDATE DATE
2025-04-20T23:22:07.875000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-04485date:2015-07-15T00:00:00
db:VULHUBid:VHN-76334date:2018-10-09T00:00:00
db:VULMONid:CVE-2014-8389date:2018-10-09T00:00:00
db:BIDid:75559date:2015-07-06T00:00:00
db:JVNDBid:JVNDB-2014-008454date:2018-01-29T00:00:00
db:CNNVDid:CNNVD-201507-354date:2018-01-02T00:00:00
db:NVDid:CVE-2014-8389date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-04485date:2015-07-15T00:00:00
db:VULHUBid:VHN-76334date:2017-12-28T00:00:00
db:VULMONid:CVE-2014-8389date:2017-12-28T00:00:00
db:BIDid:75559date:2015-07-06T00:00:00
db:JVNDBid:JVNDB-2014-008454date:2018-01-29T00:00:00
db:CNNVDid:CNNVD-201507-354date:2015-07-13T00:00:00
db:NVDid:CVE-2014-8389date:2017-12-28T02:29:03.113