Sign-up

ID

VAR-201906-0840


CVE

CVE-2017-9384


TITLE

Vera VeraEdge and Veralite Command injection vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014523

DESCRIPTION

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a web user interface that allows a user to manage the device. As a part of the functionality the device firmware file contains a file known as relay.sh which allows the device to create relay ports and connect the device to Vera servers. This is primarily used as a method of communication between the device and Vera servers so the devices can be communicated with even when the user is not at home. One of the parameters retrieved by this specific script is "remote_host". This parameter is not sanitized by the script correctly and is passed in a call to "eval" to execute another script where remote_host is concatenated to be passed a parameter to the second script. This allows an attacker to escape from the executed command and then execute any commands of his/her choice. Vera VeraEdge and Veralite The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state

Trust: 1.8

sources: NVD: CVE-2017-9384 // JVNDB: JVNDB-2017-014523 // VULHUB: VHN-117587 // VULMON: CVE-2017-9384

AFFECTED PRODUCTS

vendor:getveramodel:veralitescope:lteversion:1.7.481

Trust: 1.0

vendor:getveramodel:veraedgescope:lteversion:1.7.19

Trust: 1.0

vendor:vera controlmodel:veraedgescope:eqversion:1.7.19

Trust: 0.8

vendor:vera controlmodel:veralitescope:eqversion:1.7.481

Trust: 0.8

sources: JVNDB: JVNDB-2017-014523 // NVD: CVE-2017-9384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9384
value: HIGH

Trust: 1.0

NVD: CVE-2017-9384
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201706-124
value: HIGH

Trust: 0.6

VULHUB: VHN-117587
value: HIGH

Trust: 0.1

VULMON: CVE-2017-9384
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-9384
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-117587
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-9384
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-117587 // VULMON: CVE-2017-9384 // JVNDB: JVNDB-2017-014523 // CNNVD: CNNVD-201706-124 // NVD: CVE-2017-9384

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.9

sources: VULHUB: VHN-117587 // JVNDB: JVNDB-2017-014523 // NVD: CVE-2017-9384

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-124

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201706-124

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014523

PATCH
title:VeraEdgeurl:https://getvera.com/controllers/veraedge/
Trust: 0.8
title:VeraLiteurl:https://getvera.com/controllers/veralite/
Trust: 0.8
title:IoT_vulnerabilitiesurl:https://github.com/ethanhunnt/IoT_vulnerabilities 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-9384 // 
            
            
            
            JVNDB: JVNDB-2017-014523

EXTERNAL IDS
db:NVDid:CVE-2017-9384
Trust: 2.7
db:PACKETSTORMid:153242
Trust: 1.9
db:JVNDBid:JVNDB-2017-014523
Trust: 0.8
db:CNNVDid:CNNVD-201706-124
Trust: 0.7
db:VULHUBid:VHN-117587
Trust: 0.1
db:VULMONid:CVE-2017-9384
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117587 // 
            
            
            
            VULMON: CVE-2017-9384 // 
            
            
            
            JVNDB: JVNDB-2017-014523 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-124 // 
            
            
            
            NVD: CVE-2017-9384

REFERENCES
url:https://seclists.org/bugtraq/2019/jun/8
Trust: 2.6
url:http://packetstormsecurity.com/files/153242/veralite-veraedge-router-xss-command-injection-csrf-traversal.html
Trust: 1.8
url:https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/vera_sec_issues.pdf
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9384
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9384
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/77.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/ethanhunnt/iot_vulnerabilities
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9391
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9389
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9390
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9388
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9385
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9386
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9383
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9387
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9392
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-9382
Trust: 0.1
sources:
            
            
            VULHUB: VHN-117587 // 
            
            
            
            VULMON: CVE-2017-9384 // 
            
            
            
            JVNDB: JVNDB-2017-014523 // 
            
            
            
            PACKETSTORM: 153242 // 
            
            
            
            CNNVD: CNNVD-201706-124 // 
            
            
            
            NVD: CVE-2017-9384

CREDITS
Mandar Satam
Trust: 0.1
sources:
            
            
            PACKETSTORM: 153242

SOURCES
db:VULHUBid:VHN-117587
db:VULMONid:CVE-2017-9384
db:JVNDBid:JVNDB-2017-014523
db:PACKETSTORMid:153242
db:CNNVDid:CNNVD-201706-124
db:NVDid:CVE-2017-9384

LAST UPDATE DATE
2024-11-23T21:52:09.848000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-117587date:2019-06-20T00:00:00
db:VULMONid:CVE-2017-9384date:2019-06-20T00:00:00
db:JVNDBid:JVNDB-2017-014523date:2019-06-24T00:00:00
db:CNNVDid:CNNVD-201706-124date:2019-06-21T00:00:00
db:NVDid:CVE-2017-9384date:2024-11-21T03:35:58.810

SOURCES RELEASE DATE
db:VULHUBid:VHN-117587date:2019-06-17T00:00:00
db:VULMONid:CVE-2017-9384date:2019-06-17T00:00:00
db:JVNDBid:JVNDB-2017-014523date:2019-06-24T00:00:00
db:PACKETSTORMid:153242date:2019-06-07T15:06:02
db:CNNVDid:CNNVD-201706-124date:2017-06-06T00:00:00
db:NVDid:CVE-2017-9384date:2019-06-17T18:15:10.627