Details of VAR-201803-1338

ID

VAR-201803-1338

CVE

CVE-2017-17668

TITLE

NCR S1 Dispenser Vulnerabilities related to access control in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2017-012984

DESCRIPTION

Memory write mechanism in NCR S1 Dispenser controller before firmware version 0x0156 allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities. NCR S1 Dispenser There is an access control vulnerability in the firmware.Information may be tampered with. CRS1Dispensercontroller is a distributor control board product of NCR Corporation of the United States. An attacker could exploit this vulnerability to upgrade or downgrade device firmware

Trust: 2.16

sources: NVD: CVE-2017-17668 // JVNDB: JVNDB-2017-012984 // CNVD: CNVD-2018-05957

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-05957

AFFECTED PRODUCTS

vendor:	ncr	model:	s1 dispenser controller	scope:	lt	version:	0x0156	Trust: 1.0
vendor:	ncr	model:	s1 dispenser	scope:	lt	version:	0x0156	Trust: 0.8
vendor:	ncr	model:	s1 dispenser controller	scope:	eq	version:	0x0108	Trust: 0.6

sources: CNVD: CNVD-2018-05957 // JVNDB: JVNDB-2017-012984 // NVD: CVE-2017-17668

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-17668
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-17668
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2018-05957
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201803-724
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2017-17668
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-05957
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2017-17668
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-05957 // JVNDB: JVNDB-2017-012984 // CNNVD: CNNVD-201803-724 // NVD: CVE-2017-17668

PROBLEMTYPE DATA

problemtype:	CWE-863	Trust: 1.0
problemtype:	CWE-284	Trust: 0.8

sources: JVNDB: JVNDB-2017-012984 // NVD: CVE-2017-17668

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-724

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201803-724

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-012984

PATCH

title:	Top Page	url:	https://www.ncr.com/	Trust: 0.8
title:	Patch for NCRS1Dispensercontroller authentication vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/122599	Trust: 0.6
title:	NCR S1 Dispenser controller Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79324	Trust: 0.6

sources: CNVD: CNVD-2018-05957 // JVNDB: JVNDB-2017-012984 // CNNVD: CNNVD-201803-724

EXTERNAL IDS

db:	NVD	id:	CVE-2017-17668	Trust: 3.0
db:	JVNDB	id:	JVNDB-2017-012984	Trust: 0.8
db:	CNVD	id:	CNVD-2018-05957	Trust: 0.6
db:	CNNVD	id:	CNNVD-201803-724	Trust: 0.6

sources: CNVD: CNVD-2018-05957 // JVNDB: JVNDB-2017-012984 // CNNVD: CNNVD-201803-724 // NVD: CVE-2017-17668

REFERENCES

url:	https://www.ncr.com/sites/default/files/ncr_security_alert_-_2018-04_v3.pdf	Trust: 2.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17668	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-17668	Trust: 0.8

sources: CNVD: CNVD-2018-05957 // JVNDB: JVNDB-2017-012984 // CNNVD: CNNVD-201803-724 // NVD: CVE-2017-17668

SOURCES

db:	CNVD	id:	CNVD-2018-05957
db:	JVNDB	id:	JVNDB-2017-012984
db:	CNNVD	id:	CNNVD-201803-724
db:	NVD	id:	CVE-2017-17668

LAST UPDATE DATE

2024-11-23T22:45:25.306000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-05957	date:	2018-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-012984	date:	2018-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201803-724	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-17668	date:	2024-11-21T03:18:25.720

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-05957	date:	2018-03-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-012984	date:	2018-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201803-724	date:	2018-03-21T00:00:00
db:	NVD	id:	CVE-2017-17668	date:	2018-03-20T14:29:00.350