Sign-up

ID

VAR-201801-1825


TITLE

Command execution vulnerability in set_param program of pelco Sarix Pro network camera (CNVD-2017-36494)

Trust: 0.6

sources: CNVD: CNVD-2017-36494

DESCRIPTION

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera set_param program. The vulnerability is because the program does not perform security checks on the parameters submitted by the user, allowing the attack to execute arbitrary system commands as root using shell metacharacters, thereby completely controlling the camera.

Trust: 0.6

sources: CNVD: CNVD-2017-36494

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-36494

AFFECTED PRODUCTS

vendor:schneidermodel:electric sarix professional model: impscope:eqversion:-1110-103.29.65

Trust: 0.6

sources: CNVD: CNVD-2017-36494

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2017-36494
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2017-36494
severity: MEDIUM
baseScore: 6.5
vectorString: AV:A/AC:H/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 2.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2017-36494

PATCH

title:Schneider Pergo Sarix Pro webcam set_param program network.ieee8021x.delete_certs command execution vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/107503

Trust: 0.6

sources: CNVD: CNVD-2017-36494

EXTERNAL IDS

db:CNVDid:CNVD-2017-36494

Trust: 0.6

sources: CNVD: CNVD-2017-36494

SOURCES

db:CNVDid:CNVD-2017-36494

LAST UPDATE DATE

2022-05-04T10:26:39.794000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2017-36494date:2017-12-07T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2017-36494date:2018-01-08T00:00:00