Details of VAR-201803-1003

ID

VAR-201803-1003

CVE

CVE-2017-0935

TITLE

Ubiquiti Networks EdgeOS Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2017-012989

DESCRIPTION

Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Improper Privilege Management vulnerability due to the lack of protection of the file system leading to sensitive information being exposed. An attacker with access to an operator (read-only) account could escalate privileges to admin (root) access in the system. Ubiquiti Networks EdgeOS Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Ubiquiti Networks EdgeOS is an operating system of Ubiquiti Networks that runs on Ubiquiti products. A security vulnerability exists in Ubiquiti Networks EdgeOS 1.9.1.1 and earlier versions. The vulnerability stems from the program's lack of protection for the file system. An attacker could exploit this vulnerability to obtain sensitive information and elevate to administrator privileges

Trust: 1.8

sources: NVD: CVE-2017-0935 // JVNDB: JVNDB-2017-012989 // VULHUB: VHN-99754 // VULMON: CVE-2017-0935

AFFECTED PRODUCTS

vendor:	ui	model:	edgeos	scope:	lte	version:	1.9.1.1	Trust: 1.0
vendor:	ubiquiti	model:	edgeos	scope:	lte	version:	1.9.1.1	Trust: 0.8
vendor:	ubnt	model:	edgeos	scope:	eq	version:	1.9.1.1	Trust: 0.6

sources: JVNDB: JVNDB-2017-012989 // CNNVD: CNNVD-201803-803 // NVD: CVE-2017-0935

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-0935
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-0935
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201803-803
value:	HIGH
Trust: 0.6
VULHUB:	VHN-99754
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-0935
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-0935
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-99754
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-0935
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2017-0935
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-99754 // VULMON: CVE-2017-0935 // JVNDB: JVNDB-2017-012989 // CNNVD: CNNVD-201803-803 // NVD: CVE-2017-0935

PROBLEMTYPE DATA

problemtype:	CWE-269	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-99754 // JVNDB: JVNDB-2017-012989 // NVD: CVE-2017-0935

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-803

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201803-803

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012989

PATCH

title:	EdgeMAX EdgeRouter software security release v1.9.7+hotfix.3	url:	https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-security-release-v1-9-7-hotfix-3/ba-p/2054117	Trust: 0.8
title:	Ubiquiti Networks EdgeOS Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79364	Trust: 0.6

sources: JVNDB: JVNDB-2017-012989 // CNNVD: CNNVD-201803-803

EXTERNAL IDS

db:	NVD	id:	CVE-2017-0935	Trust: 2.6
db:	HACKERONE	id:	242407	Trust: 1.8
db:	JVNDB	id:	JVNDB-2017-012989	Trust: 0.8
db:	CNNVD	id:	CNNVD-201803-803	Trust: 0.6
db:	VULHUB	id:	VHN-99754	Trust: 0.1
db:	VULMON	id:	CVE-2017-0935	Trust: 0.1

sources: VULHUB: VHN-99754 // VULMON: CVE-2017-0935 // JVNDB: JVNDB-2017-012989 // CNNVD: CNNVD-201803-803 // NVD: CVE-2017-0935

REFERENCES

url:	https://community.ubnt.com/t5/edgemax-updates-blog/edgemax-edgerouter-software-security-release-v1-9-7-hotfix-3/ba-p/2054117	Trust: 1.8
url:	https://hackerone.com/reports/242407	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0935	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-0935	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/269.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-99754 // VULMON: CVE-2017-0935 // JVNDB: JVNDB-2017-012989 // CNNVD: CNNVD-201803-803 // NVD: CVE-2017-0935

SOURCES

db:	VULHUB	id:	VHN-99754
db:	VULMON	id:	CVE-2017-0935
db:	JVNDB	id:	JVNDB-2017-012989
db:	CNNVD	id:	CNNVD-201803-803
db:	NVD	id:	CVE-2017-0935

LAST UPDATE DATE

2024-11-23T22:52:11.764000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-99754	date:	2020-02-12T00:00:00
db:	VULMON	id:	CVE-2017-0935	date:	2020-02-12T00:00:00
db:	JVNDB	id:	JVNDB-2017-012989	date:	2018-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201803-803	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-0935	date:	2024-11-21T03:03:55.797

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-99754	date:	2018-03-22T00:00:00
db:	VULMON	id:	CVE-2017-0935	date:	2018-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-012989	date:	2018-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201803-803	date:	2018-03-23T00:00:00
db:	NVD	id:	CVE-2017-0935	date:	2018-03-22T14:29:00.427