Sign-up

ID

VAR-201906-0839


CVE

CVE-2017-9383


TITLE

Vera VeraEdge and Veralite Authentication vulnerabilities in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014522

DESCRIPTION

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "wget" as one of the service actions for a normal user to connect the device to an external website. It retrieves the parameter "URL" from the query string and then passes it to an internal function that uses the curl module on the device to retrieve the contents of the website. Vera VeraEdge and Veralite The device contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products

Trust: 1.8

sources: NVD: CVE-2017-9383 // JVNDB: JVNDB-2017-014522 // VULHUB: VHN-117586 // VULMON: CVE-2017-9383

AFFECTED PRODUCTS

vendor:getveramodel:veralitescope:lteversion:1.7.481

Trust: 1.0

vendor:getveramodel:veraedgescope:lteversion:1.7.19

Trust: 1.0

vendor:vera controlmodel:veraedgescope:eqversion:1.7.19

Trust: 0.8

vendor:vera controlmodel:veralitescope:eqversion:1.7.481

Trust: 0.8

sources: JVNDB: JVNDB-2017-014522 // NVD: CVE-2017-9383

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9383
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-9383
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201706-125
value: CRITICAL

Trust: 0.6

VULHUB: VHN-117586
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-9383
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-9383
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-117586
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-9383
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-117586 // VULMON: CVE-2017-9383 // JVNDB: JVNDB-2017-014522 // CNNVD: CNNVD-201706-125 // NVD: CVE-2017-9383

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-117586 // JVNDB: JVNDB-2017-014522 // NVD: CVE-2017-9383

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-125

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201706-125

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014522

PATCH
title:VeraEdgeurl:https://getvera.com/controllers/veraedge/
Trust: 0.8
title:VeraLiteurl:https://getvera.com/controllers/veralite/
Trust: 0.8
title:IoT_vulnerabilitiesurl:https://github.com/ethanhunnt/IoT_vulnerabilities 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-9383 // 
            
            
            
            JVNDB: JVNDB-2017-014522

EXTERNAL IDS
db:NVDid:CVE-2017-9383
Trust: 2.7
db:PACKETSTORMid:153242
Trust: 1.9
db:JVNDBid:JVNDB-2017-014522
Trust: 0.8
db:CNNVDid:CNNVD-201706-125
Trust: 0.7
db:VULHUBid:VHN-117586
Trust: 0.1
db:VULMONid:CVE-2017-9383
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117586 // 
            
            
            
            VULMON: CVE-2017-9383 // 
            
            
            
            JVNDB: JVNDB-2017-014522 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-125 // 
            
            
            
            NVD: CVE-2017-9383

REFERENCES
url:https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/vera_sec_issues.pdf
Trust: 2.6
url:https://seclists.org/bugtraq/2019/jun/8
Trust: 1.8
url:http://packetstormsecurity.com/files/153242/veralite-veraedge-router-xss-command-injection-csrf-traversal.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9383
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9383
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/287.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/ethanhunnt/iot_vulnerabilities
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9391
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9389
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9390
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9388
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9385
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9386
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9387
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9392
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9382
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9384
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117586 // 
            
            
            
            VULMON: CVE-2017-9383 // 
            
            
            
            JVNDB: JVNDB-2017-014522 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-125 // 
            
            
            
            NVD: CVE-2017-9383

CREDITS
Mandar Satam
Trust: 0.1
sources:
            
            
            PACKETSTORM: 153242

SOURCES
db:VULHUBid:VHN-117586
db:VULMONid:CVE-2017-9383
db:JVNDBid:JVNDB-2017-014522
db:PACKETSTORMid:153242
db:CNNVDid:CNNVD-201706-125
db:NVDid:CVE-2017-9383

LAST UPDATE DATE
2024-11-23T21:52:09.881000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-117586date:2019-06-20T00:00:00
db:VULMONid:CVE-2017-9383date:2019-06-20T00:00:00
db:JVNDBid:JVNDB-2017-014522date:2019-06-24T00:00:00
db:CNNVDid:CNNVD-201706-125date:2019-06-21T00:00:00
db:NVDid:CVE-2017-9383date:2024-11-21T03:35:58.650

SOURCES RELEASE DATE
db:VULHUBid:VHN-117586date:2019-06-17T00:00:00
db:VULMONid:CVE-2017-9383date:2019-06-17T00:00:00
db:JVNDBid:JVNDB-2017-014522date:2019-06-24T00:00:00
db:PACKETSTORMid:153242date:2019-06-07T15:06:02
db:CNNVDid:CNNVD-201706-125date:2017-06-06T00:00:00
db:NVDid:CVE-2017-9383date:2019-06-17T20:15:09.227