Details of VAR-201906-0835

ID

VAR-201906-0835

CVE

CVE-2017-9391

TITLE

Vera VeraEdge and Veralite Device buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-014528

DESCRIPTION

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "request_image" as one of the service actions for a normal user to retrieve an image from a camera that is controlled by the controller. It seems that the "URL" parameter passed in the query string is not sanitized and is stored on the stack which allows an attacker to overflow the buffer. The function "LU::Generic_IP_Camera_Manager::REQ_Image" is activated when the lu_request_image is passed as the "id" parameter in query string. This function then calls "LU::Generic_IP_Camera_Manager::GetUrlFromArguments" and passes a "pointer" to the function where it will be allowed to store the value from the URL parameter. This pointer is passed as the second parameter $a2 to the function "LU::Generic_IP_Camera_Manager::GetUrlFromArguments". However, neither the callee or the caller in this case performs a simple length check and as a result an attacker who is able to send more than 1336 characters can easily overflow the values stored on the stack including the $RA value and thus execute code on the device. Vera VeraEdge and Veralite The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. An attacker could exploit this vulnerability to execute code on the device

Trust: 1.8

sources: NVD: CVE-2017-9391 // JVNDB: JVNDB-2017-014528 // VULHUB: VHN-117594 // VULMON: CVE-2017-9391

IOT TAXONOMY

category:

['home & office device']

sub_category:

smart home controller

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	getvera	model:	veralite	scope:	lte	version:	1.7.481	Trust: 1.0
vendor:	getvera	model:	veraedge	scope:	lte	version:	1.7.19	Trust: 1.0
vendor:	vera control	model:	veraedge	scope:	eq	version:	1.7.19	Trust: 0.8
vendor:	vera control	model:	veralite	scope:	eq	version:	1.7.481	Trust: 0.8

sources: JVNDB: JVNDB-2017-014528 // NVD: CVE-2017-9391

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9391
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-9391
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201706-117
value:	HIGH
Trust: 0.6
VULHUB:	VHN-117594
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-9391
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-9391
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-117594
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-9391
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-117594 // VULMON: CVE-2017-9391 // JVNDB: JVNDB-2017-014528 // CNNVD: CNNVD-201706-117 // NVD: CVE-2017-9391

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-117594 // JVNDB: JVNDB-2017-014528 // NVD: CVE-2017-9391

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-117

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201706-117

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014528

PATCH

title:	VeraEdge	url:	https://getvera.com/controllers/veraedge/	Trust: 0.8
title:	VeraLite	url:	https://getvera.com/controllers/veralite/	Trust: 0.8
title:	IoT_vulnerabilities	url:	https://github.com/ethanhunnt/IoT_vulnerabilities	Trust: 0.1

sources: VULMON: CVE-2017-9391 // JVNDB: JVNDB-2017-014528

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9391	Trust: 2.8
db:	PACKETSTORM	id:	153242	Trust: 1.9
db:	JVNDB	id:	JVNDB-2017-014528	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-117	Trust: 0.7
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULHUB	id:	VHN-117594	Trust: 0.1
db:	VULMON	id:	CVE-2017-9391	Trust: 0.1

sources: OTHER: None // VULHUB: VHN-117594 // VULMON: CVE-2017-9391 // JVNDB: JVNDB-2017-014528 // PACKETSTORM: 153242 // CNNVD: CNNVD-201706-117 // NVD: CVE-2017-9391

REFERENCES

url:	https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/vera_sec_issues.pdf	Trust: 2.6
url:	https://seclists.org/bugtraq/2019/jun/8	Trust: 1.8
url:	http://packetstormsecurity.com/files/153242/veralite-veraedge-router-xss-command-injection-csrf-traversal.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9391	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9391	Trust: 0.8
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/ethanhunnt/iot_vulnerabilities	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9381	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9389	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9390	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9388	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9385	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9386	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9383	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9387	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9392	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9382	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9384	Trust: 0.1

sources: OTHER: None // VULHUB: VHN-117594 // VULMON: CVE-2017-9391 // JVNDB: JVNDB-2017-014528 // PACKETSTORM: 153242 // CNNVD: CNNVD-201706-117 // NVD: CVE-2017-9391

CREDITS

Mandar Satam

Trust: 0.1

sources: PACKETSTORM: 153242

SOURCES

db:	OTHER	id:	-
db:	VULHUB	id:	VHN-117594
db:	VULMON	id:	CVE-2017-9391
db:	JVNDB	id:	JVNDB-2017-014528
db:	PACKETSTORM	id:	153242
db:	CNNVD	id:	CNNVD-201706-117
db:	NVD	id:	CVE-2017-9391

LAST UPDATE DATE

2025-01-30T19:38:08.990000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-117594	date:	2019-06-20T00:00:00
db:	VULMON	id:	CVE-2017-9391	date:	2019-06-20T00:00:00
db:	JVNDB	id:	JVNDB-2017-014528	date:	2019-06-24T00:00:00
db:	CNNVD	id:	CNNVD-201706-117	date:	2019-06-21T00:00:00
db:	NVD	id:	CVE-2017-9391	date:	2024-11-21T03:36:01.907

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-117594	date:	2019-06-17T00:00:00
db:	VULMON	id:	CVE-2017-9391	date:	2019-06-17T00:00:00
db:	JVNDB	id:	JVNDB-2017-014528	date:	2019-06-24T00:00:00
db:	PACKETSTORM	id:	153242	date:	2019-06-07T15:06:02
db:	CNNVD	id:	CNNVD-201706-117	date:	2017-06-06T00:00:00
db:	NVD	id:	CVE-2017-9391	date:	2019-06-17T21:15:09.550