Sign-up

ID

VAR-201906-0829


CVE

CVE-2017-9385


TITLE

Vera Veralite Vulnerabilities related to certificate and password management in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014543

DESCRIPTION

An issue was discovered on Vera Veralite 1.7.481 devices. The device has an additional OpenWRT interface in addition to the standard web interface which allows the highest privileges a user can obtain on the device. This web interface uses root as the username and the password in the /etc/cmh/cmh.conf file which can be extracted by an attacker using a directory traversal attack, and then log in to the device with the highest privileges. Vera Veralite The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.8

sources: NVD: CVE-2017-9385 // JVNDB: JVNDB-2017-014543 // VULHUB: VHN-117588 // VULMON: CVE-2017-9385

AFFECTED PRODUCTS

vendor:getveramodel:veralitescope:lteversion:1.7.481

Trust: 1.0

vendor:getveramodel:veraedgescope:lteversion:1.7.19

Trust: 1.0

vendor:vera controlmodel:veraedgescope: - version: -

Trust: 0.8

vendor:vera controlmodel:veralitescope:eqversion:1.7.481

Trust: 0.8

sources: JVNDB: JVNDB-2017-014543 // NVD: CVE-2017-9385

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9385
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-9385
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201706-123
value: CRITICAL

Trust: 0.6

VULHUB: VHN-117588
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-9385
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-9385
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-117588
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-9385
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-117588 // VULMON: CVE-2017-9385 // JVNDB: JVNDB-2017-014543 // CNNVD: CNNVD-201706-123 // NVD: CVE-2017-9385

PROBLEMTYPE DATA

problemtype:CWE-255

Trust: 1.9

sources: VULHUB: VHN-117588 // JVNDB: JVNDB-2017-014543 // NVD: CVE-2017-9385

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-123

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201706-123

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014543

PATCH
title:VeraEdgeurl:https://getvera.com/controllers/veraedge/
Trust: 0.8
title:VeraLiteurl:https://getvera.com/controllers/veralite/
Trust: 0.8
title:IoT_vulnerabilitiesurl:https://github.com/ethanhunnt/IoT_vulnerabilities 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-9385 // 
            
            
            
            JVNDB: JVNDB-2017-014543

EXTERNAL IDS
db:NVDid:CVE-2017-9385
Trust: 2.7
db:PACKETSTORMid:153242
Trust: 1.9
db:JVNDBid:JVNDB-2017-014543
Trust: 0.8
db:CNNVDid:CNNVD-201706-123
Trust: 0.7
db:VULHUBid:VHN-117588
Trust: 0.1
db:VULMONid:CVE-2017-9385
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117588 // 
            
            
            
            VULMON: CVE-2017-9385 // 
            
            
            
            JVNDB: JVNDB-2017-014543 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-123 // 
            
            
            
            NVD: CVE-2017-9385

REFERENCES
url:https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/vera_sec_issues.pdf
Trust: 2.6
url:https://seclists.org/bugtraq/2019/jun/8
Trust: 1.8
url:http://packetstormsecurity.com/files/153242/veralite-veraedge-router-xss-command-injection-csrf-traversal.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9385
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9385
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/255.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/ethanhunnt/iot_vulnerabilities
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9391
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9389
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9390
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9388
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9386
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9383
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9387
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9392
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9382
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9384
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117588 // 
            
            
            
            VULMON: CVE-2017-9385 // 
            
            
            
            JVNDB: JVNDB-2017-014543 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-123 // 
            
            
            
            NVD: CVE-2017-9385

CREDITS
Mandar Satam
Trust: 0.1
sources:
            
            
            PACKETSTORM: 153242

SOURCES
db:VULHUBid:VHN-117588
db:VULMONid:CVE-2017-9385
db:JVNDBid:JVNDB-2017-014543
db:PACKETSTORMid:153242
db:CNNVDid:CNNVD-201706-123
db:NVDid:CVE-2017-9385

LAST UPDATE DATE
2024-11-23T21:52:09.752000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-117588date:2019-06-20T00:00:00
db:VULMONid:CVE-2017-9385date:2019-06-20T00:00:00
db:JVNDBid:JVNDB-2017-014543date:2019-06-25T00:00:00
db:CNNVDid:CNNVD-201706-123date:2019-06-21T00:00:00
db:NVDid:CVE-2017-9385date:2024-11-21T03:35:58.990

SOURCES RELEASE DATE
db:VULHUBid:VHN-117588date:2019-06-17T00:00:00
db:VULMONid:CVE-2017-9385date:2019-06-17T00:00:00
db:JVNDBid:JVNDB-2017-014543date:2019-06-25T00:00:00
db:PACKETSTORMid:153242date:2019-06-07T15:06:02
db:CNNVDid:CNNVD-201706-123date:2017-06-06T00:00:00
db:NVDid:CVE-2017-9385date:2019-06-17T20:15:09.290