CVE-2017-9382

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port_3480". It seems that the UPnP services provide "file" as one of the service actions for a normal user to read a file that is stored under the /etc/cmh-lu folder. It retrieves the value from the "parameters" query string variable and then passes it to an internal function "FileUtils::ReadFileIntoBuffer" which is a library function that does not perform any sanitization on the value submitted and this allows an attacker to use directory traversal characters "../" and read files from other folders within the device.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html	Third Party Advisory VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf	Exploit Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:getvera:veraedge_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:getvera:veraedge:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:getvera:veralite_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:getvera:veralite:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-06-17 20:15

Updated : 2024-02-04 20:20

NVD link : CVE-2017-9382

Mitre link : CVE-2017-9382

CVE.ORG link : CVE-2017-9382

JSON object : View

Products Affected

getvera

veraedge
veraedge_firmware
veralite_firmware
veralite

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2017-9382", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-06-17T20:15:09.180", "references": [{"url": "http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url \"/port_3480\". It seems that the UPnP services provide \"file\" as one of the service actions for a normal user to read a file that is stored under the /etc/cmh-lu folder. It retrieves the value from the \"parameters\" query string variable and then passes it to an internal function \"FileUtils::ReadFileIntoBuffer\" which is a library function that does not perform any sanitization on the value submitted and this allows an attacker to use directory traversal characters \"../\" and read files from other folders within the device."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos VeraEdge versi\u00f3n 1.7.19 y Veralite versi\u00f3n 1.7.481 de Vera. El dispositivo proporciona servicios UPnP que est\u00e1n disponibles en el puerto 3480 y tambi\u00e9n pueden ser accedidos por medio del puerto 80 mediante la url \"/port_3480\". Parece que los servicios UPnP proporcionan \"file\" como una de las acciones de servicio para que un usuario normal lea un archivo que est\u00e1 almacenado en la carpeta /etc/cmh-lu. Recupera el valor de la variable de cadena de consulta de los \"parameters\" y luego lo pasa a una funci\u00f3n interna \"FileUtils::ReadFileIntoBuffer\" que es una funci\u00f3n de biblioteca que no realiza ning\u00fan saneamiento en el valor enviado y esto permite a un atacante utilizar caracteres \"../\" de un salto de directorios y leer archivos de otras carpetas dentro del dispositivo."}], "lastModified": "2019-06-20T16:44:26.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:getvera:veraedge_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49C1D79D-A586-4D41-A10C-1815E6E0D765", "versionEndIncluding": "1.7.19"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:getvera:veraedge:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0A3D3CAC-84A4-4F14-8FB6-1E6437F8D2C0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:getvera:veralite_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC96E7A8-DB6C-47C8-9B33-AE4ED418C70E", "versionEndIncluding": "1.7.481"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:getvera:veralite:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "914728A7-7BA3-4612-A6AA-172B24431947"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}