Sign-up

ID

VAR-201906-0833


CVE

CVE-2017-9389


TITLE

Vera VeraEdge and Veralite Authentication vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014526

DESCRIPTION

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device allows a user to install applications written in the Lua programming language. Also the interface allows any user to write his/her application in the Lua language. However, this functionality is not protected by authentication and this allows an attacker to run arbitrary Lua code on the device. The POST request is forwarded to LuaUPNP daemon on the device. This binary handles the received Lua code in the function "LU::JobHandler_LuaUPnP::RunLua(LU::JobHandler_LuaUPnP *__hidden this, LU::UPnPActionWrapper *)". The value in the "code" parameter is then passed to the function "LU::LuaInterface::RunCode(char const*)" which actually loads the Lua engine and runs the code. Vera VeraEdge and Veralite The device contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state

Trust: 1.8

sources: NVD: CVE-2017-9389 // JVNDB: JVNDB-2017-014526 // VULHUB: VHN-117592 // VULMON: CVE-2017-9389

AFFECTED PRODUCTS

vendor:getveramodel:veralitescope:lteversion:1.7.481

Trust: 1.0

vendor:getveramodel:veraedgescope:lteversion:1.7.19

Trust: 1.0

vendor:vera controlmodel:veraedgescope:eqversion:1.7.19

Trust: 0.8

vendor:vera controlmodel:veralitescope:eqversion:1.7.481

Trust: 0.8

sources: JVNDB: JVNDB-2017-014526 // NVD: CVE-2017-9389

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9389
value: HIGH

Trust: 1.0

NVD: CVE-2017-9389
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201706-119
value: HIGH

Trust: 0.6

VULHUB: VHN-117592
value: HIGH

Trust: 0.1

VULMON: CVE-2017-9389
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-9389
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-117592
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-9389
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-117592 // VULMON: CVE-2017-9389 // JVNDB: JVNDB-2017-014526 // CNNVD: CNNVD-201706-119 // NVD: CVE-2017-9389

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-117592 // JVNDB: JVNDB-2017-014526 // NVD: CVE-2017-9389

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-119

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201706-119

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014526

PATCH
title:VeraLiteurl:https://getvera.com/controllers/veralite/
Trust: 0.8
title:VeraEdgeurl:https://getvera.com/controllers/veraedge/
Trust: 0.8
title:IoT_vulnerabilitiesurl:https://github.com/ethanhunnt/IoT_vulnerabilities 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-9389 // 
            
            
            
            JVNDB: JVNDB-2017-014526

EXTERNAL IDS
db:NVDid:CVE-2017-9389
Trust: 2.7
db:PACKETSTORMid:153242
Trust: 1.9
db:JVNDBid:JVNDB-2017-014526
Trust: 0.8
db:CNNVDid:CNNVD-201706-119
Trust: 0.7
db:VULHUBid:VHN-117592
Trust: 0.1
db:VULMONid:CVE-2017-9389
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117592 // 
            
            
            
            VULMON: CVE-2017-9389 // 
            
            
            
            JVNDB: JVNDB-2017-014526 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-119 // 
            
            
            
            NVD: CVE-2017-9389

REFERENCES
url:https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/vera_sec_issues.pdf
Trust: 2.6
url:https://seclists.org/bugtraq/2019/jun/8
Trust: 1.8
url:http://packetstormsecurity.com/files/153242/veralite-veraedge-router-xss-command-injection-csrf-traversal.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9389
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9389
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/ethanhunnt/iot_vulnerabilities
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9391
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9390
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9388
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9385
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9386
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9383
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9387
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9392
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9382
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9384
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117592 // 
            
            
            
            VULMON: CVE-2017-9389 // 
            
            
            
            JVNDB: JVNDB-2017-014526 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-119 // 
            
            
            
            NVD: CVE-2017-9389

CREDITS
Mandar Satam
Trust: 0.1
sources:
            
            
            PACKETSTORM: 153242

SOURCES
db:VULHUBid:VHN-117592
db:VULMONid:CVE-2017-9389
db:JVNDBid:JVNDB-2017-014526
db:PACKETSTORMid:153242
db:CNNVDid:CNNVD-201706-119
db:NVDid:CVE-2017-9389

LAST UPDATE DATE
2024-11-23T21:52:10.039000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-117592date:2019-06-20T00:00:00
db:VULMONid:CVE-2017-9389date:2019-06-20T00:00:00
db:JVNDBid:JVNDB-2017-014526date:2019-06-24T00:00:00
db:CNNVDid:CNNVD-201706-119date:2019-06-21T00:00:00
db:NVDid:CVE-2017-9389date:2024-11-21T03:36:00.947

SOURCES RELEASE DATE
db:VULHUBid:VHN-117592date:2019-06-17T00:00:00
db:VULMONid:CVE-2017-9389date:2019-06-17T00:00:00
db:JVNDBid:JVNDB-2017-014526date:2019-06-24T00:00:00
db:PACKETSTORMid:153242date:2019-06-07T15:06:02
db:CNNVDid:CNNVD-201706-119date:2017-06-06T00:00:00
db:NVDid:CVE-2017-9389date:2019-06-17T20:15:09.430