Details of VAR-201907-1136

ID

VAR-201907-1136

CVE

CVE-2018-14494

TITLE

Vivotek FD8136 Command injection vulnerability in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-015834

DESCRIPTION

Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: the vendor sent a clarification on 2019-09-17 explaining that, although this CVE was first populated in July 2019, it is a historical vulnerability that does not apply to any current or recent Vivotek hardware or firmware. Vivotek FD8136 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. VivotekFD8136 is a hemispherical network camera from China's Taiwan Vivotek. There is a command injection vulnerability in VivotekFD8136. The vulnerability stems from the fact that external input data constructs executable commands, and the network system or product does not properly filter the special elements. An attacker could exploit the vulnerability to execute an illegal command

Trust: 2.25

sources: NVD: CVE-2018-14494 // JVNDB: JVNDB-2018-015834 // CNVD: CNVD-2019-22783 // VULHUB: VHN-124659

IOT TAXONOMY

category:

['ICS', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-22783

AFFECTED PRODUCTS

vendor:	vivotek	model:	fd8136	scope:	eq	version:	0301a	Trust: 1.0
vendor:	vivotek	model:	network camera fd8136	scope:	-	version:	-	Trust: 0.8
vendor:	vivotek	model:	fd8136	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-22783 // JVNDB: JVNDB-2018-015834 // NVD: CVE-2018-14494

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-14494
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-14494
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-22783
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201907-552
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-124659
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-14494
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-22783
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-124659
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-14494
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-22783 // VULHUB: VHN-124659 // JVNDB: JVNDB-2018-015834 // CNNVD: CNNVD-201907-552 // NVD: CVE-2018-14494

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-124659 // JVNDB: JVNDB-2018-015834 // NVD: CVE-2018-14494

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-552

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201907-552

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-015834

PATCH

title:

FD8136

url:

https://www.vivotek.com/fd8136

Trust: 0.8

sources: JVNDB: JVNDB-2018-015834

EXTERNAL IDS

db:	NVD	id:	CVE-2018-14494	Trust: 3.1
db:	JVNDB	id:	JVNDB-2018-015834	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-552	Trust: 0.7
db:	CNVD	id:	CNVD-2019-22783	Trust: 0.6
db:	VULHUB	id:	VHN-124659	Trust: 0.1

sources: CNVD: CNVD-2019-22783 // VULHUB: VHN-124659 // JVNDB: JVNDB-2018-015834 // CNNVD: CNNVD-201907-552 // NVD: CVE-2018-14494

REFERENCES

url:	https://www.vdalabs.com/2018/07/23/professional-iot-hacking-series-target-selection-firmware-analysis/	Trust: 2.5
url:	https://www.vdalabs.com/2018/08/06/professional-iot-hacking-series-hunting-remote-command-injection/	Trust: 2.3
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14494	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14494	Trust: 0.8

sources: CNVD: CNVD-2019-22783 // VULHUB: VHN-124659 // JVNDB: JVNDB-2018-015834 // CNNVD: CNNVD-201907-552 // NVD: CVE-2018-14494

SOURCES

db:	CNVD	id:	CNVD-2019-22783
db:	VULHUB	id:	VHN-124659
db:	JVNDB	id:	JVNDB-2018-015834
db:	CNNVD	id:	CNNVD-201907-552
db:	NVD	id:	CVE-2018-14494

LAST UPDATE DATE

2024-11-23T23:01:47.836000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-22783	date:	2019-07-16T00:00:00
db:	VULHUB	id:	VHN-124659	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-015834	date:	2019-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201907-552	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2018-14494	date:	2024-11-21T03:49:11.077

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-22783	date:	2019-07-16T00:00:00
db:	VULHUB	id:	VHN-124659	date:	2019-07-10T00:00:00
db:	JVNDB	id:	JVNDB-2018-015834	date:	2019-07-12T00:00:00
db:	CNNVD	id:	CNNVD-201907-552	date:	2019-07-10T00:00:00
db:	NVD	id:	CVE-2018-14494	date:	2019-07-10T13:15:10.590