Details of VAR-201812-0433

ID

VAR-201812-0433

CVE

CVE-2018-14709

TITLE

Drobo 5N2 NAS Authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-012525

DESCRIPTION

Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. Drobo 5N2 NAS Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Drobo5N2NAS is a network storage device (NAS) from Drobo Corporation of the United States. The device has functions such as data sharing, data backup, remote access, and disaster recovery. DashboardAPI is one of the dashboard components. An attacker could exploit the vulnerability to bypass authentication and execute arbitrary commands. Mozilla Firefox is an open source web browser of the Mozilla Foundation in the United States

Trust: 2.25

sources: NVD: CVE-2018-14709 // JVNDB: JVNDB-2018-012525 // CNVD: CNVD-2019-05923 // VULHUB: VHN-124895

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-05923

AFFECTED PRODUCTS

vendor:	drobo	model:	5n2	scope:	eq	version:	4.0.5-13.28.96115	Trust: 2.4
vendor:	drobo	model:	5n2 nas	scope:	eq	version:	4.0.5-13.28.96115	Trust: 0.6

sources: CNVD: CNVD-2019-05923 // JVNDB: JVNDB-2018-012525 // CNNVD: CNNVD-201812-054 // NVD: CVE-2018-14709

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-14709
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-14709
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-05923
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201812-054
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-124895
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-14709
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-05923
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-124895
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-14709
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-05923 // VULHUB: VHN-124895 // JVNDB: JVNDB-2018-012525 // CNNVD: CNNVD-201812-054 // NVD: CVE-2018-14709

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-124895 // JVNDB: JVNDB-2018-012525 // NVD: CVE-2018-14709

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-054

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201812-054

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012525

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-124895

PATCH

title:

Drobo 5N2

url:

https://www.drobo-jp.com/products/pdr5n2.html

Trust: 0.8

sources: JVNDB: JVNDB-2018-012525

EXTERNAL IDS

db:	NVD	id:	CVE-2018-14709	Trust: 3.1
db:	PACKETSTORM	id:	156710	Trust: 1.7
db:	JVNDB	id:	JVNDB-2018-012525	Trust: 0.8
db:	CNNVD	id:	CNNVD-201812-054	Trust: 0.7
db:	CNVD	id:	CNVD-2019-05923	Trust: 0.6
db:	VULHUB	id:	VHN-124895	Trust: 0.1

sources: CNVD: CNVD-2019-05923 // VULHUB: VHN-124895 // JVNDB: JVNDB-2018-012525 // CNNVD: CNNVD-201812-054 // NVD: CVE-2018-14709

REFERENCES

url:	https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc	Trust: 2.5
url:	http://packetstormsecurity.com/files/156710/drobo-5n2-4.1.1-remote-command-injection.html	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14709	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14709	Trust: 0.8

sources: CNVD: CNVD-2019-05923 // VULHUB: VHN-124895 // JVNDB: JVNDB-2018-012525 // CNNVD: CNNVD-201812-054 // NVD: CVE-2018-14709

CREDITS

Rick Ramgattie, Ian Sindermann

Trust: 0.6

sources: CNNVD: CNNVD-201812-054

SOURCES

db:	CNVD	id:	CNVD-2019-05923
db:	VULHUB	id:	VHN-124895
db:	JVNDB	id:	JVNDB-2018-012525
db:	CNNVD	id:	CNNVD-201812-054
db:	NVD	id:	CVE-2018-14709

LAST UPDATE DATE

2024-11-23T23:01:58.398000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-05923	date:	2019-03-03T00:00:00
db:	VULHUB	id:	VHN-124895	date:	2020-03-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-012525	date:	2019-02-05T00:00:00
db:	CNNVD	id:	CNNVD-201812-054	date:	2021-07-09T00:00:00
db:	NVD	id:	CVE-2018-14709	date:	2024-11-21T03:49:38.290

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-05923	date:	2019-03-03T00:00:00
db:	VULHUB	id:	VHN-124895	date:	2018-12-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-012525	date:	2019-02-05T00:00:00
db:	CNNVD	id:	CNNVD-201812-054	date:	2018-12-04T00:00:00
db:	NVD	id:	CVE-2018-14709	date:	2018-12-03T22:29:00.763