Sign-up

ID

VAR-201801-1846


TITLE

Command execution vulnerability in set_param program of pelco Sarix Pro network camera (CNVD-2017-36493)

Trust: 0.6

sources: CNVD: CNVD-2017-36493

DESCRIPTION

pelco Sarix Professional is a video camera. A command execution vulnerability exists in the pelco Sarix Pro network camera set_param program. The vulnerability is because the program does not perform security checks on the parameters submitted by the user, allowing the attack to execute arbitrary system commands as root using shell metacharacters, thereby completely controlling the camera.

Trust: 0.6

sources: CNVD: CNVD-2017-36493

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-36493

AFFECTED PRODUCTS

vendor:schneidermodel:electric sarix professional model: impscope:eqversion:-1110-103.29.65

Trust: 0.6

sources: CNVD: CNVD-2017-36493

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2017-36493
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2017-36493
severity: MEDIUM
baseScore: 6.5
vectorString: AV:A/AC:H/AU:S/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 2.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2017-36493

PATCH

title:Schneider Pergo Sarix Pro series webcam set_param program system.create.sd_file_link has a command execution vulnerabilityurl:https://www.cnvd.org.cn/patchinfo/show/107497

Trust: 0.6

sources: CNVD: CNVD-2017-36493

EXTERNAL IDS

db:CNVDid:CNVD-2017-36493

Trust: 0.6

sources: CNVD: CNVD-2017-36493

SOURCES

db:CNVDid:CNVD-2017-36493

LAST UPDATE DATE

2022-05-04T10:26:39.782000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2017-36493date:2017-12-07T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2017-36493date:2018-01-08T00:00:00