CVE-2016-9357 - OpenCVE

An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Eaton	Eamaxx Series Epdu Firmware Eswaxx Series Epdu Firmware Emaaxx Series Epdu Eamxxx Series Epdu Firmware Eamxxx Series Epdu Emaxxx Series Epdu Eswaxx Series Epdu Eamaxx Series Epdu Emaxxx Series Epdu Firmware Emaaxx Series Epdu Firmware

Configuration 1 [-]

AND

cpe:2.3:o:eaton:eamxxx_series_epdu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:eaton:eamxxx_series_epdu:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:eaton:emaxxx_series_epdu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:eaton:emaxxx_series_epdu:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:eaton:eamaxx_series_epdu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:eaton:eamaxx_series_epdu:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:eaton:emaaxx_series_epdu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:eaton:emaaxx_series_epdu:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:eaton:eswaxx_series_epdu_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:eaton:eswaxx_series_epdu:-:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/95817	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-02-13T21:00:00

Updated: 2017-02-14T10:57:01

Reserved: 2016-11-16T00:00:00

Link: CVE-2016-9357

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-02-13T21:59:02.017

Modified: 2017-03-16T17:54:11.740

Link: CVE-2016-9357

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "Eaton ePDU EoL devices", "vendor": "n/a", "versions": [{"status": "affected", "version": "Eaton ePDU EoL devices"}]}], "datePublic": "2017-02-13T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal)."}], "problemTypes": [{"descriptions": [{"description": "Eaton ePDU Path Traversal Vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-14T10:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"name": "95817", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95817"}, {"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2016-9357", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eaton ePDU EoL devices", "version": {"version_data": [{"version_value": "Eaton ePDU EoL devices"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Eaton ePDU Path Traversal Vulnerability"}]}]}, "references": {"reference_data": [{"name": "95817", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95817"}, {"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2016-9357", "datePublished": "2017-02-13T21:00:00", "dateReserved": "2016-11-16T00:00:00", "dateUpdated": "2017-02-14T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:eaton:eamxxx_series_epdu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2704CA8E-8D97-464D-AD69-856A1AEF1EF1", "versionEndIncluding": "06-30-2015", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:eaton:eamxxx_series_epdu:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF36BCAD-0E59-4ADD-8FF1-BB87232085C8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:eaton:emaxxx_series_epdu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1D0A3D2-B37A-4F24-ACA7-EC263FFF2525", "versionEndIncluding": "01-31-2014", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:eaton:emaxxx_series_epdu:-:*:*:*:*:*:*:*", "matchCriteriaId": "B25C1569-E247-4138-BBFD-B53A512F20F6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:eaton:eamaxx_series_epdu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "298CB4D7-E575-404A-A0A5-89DB819491A6", "versionEndIncluding": "01-31-2014", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:eaton:eamaxx_series_epdu:-:*:*:*:*:*:*:*", "matchCriteriaId": "0999ABF5-4A96-4223-8928-AA54922D306D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:eaton:emaaxx_series_epdu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "26F24225-A90D-47B9-BE4D-575994669B30", "versionEndIncluding": "01-31-2014", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:eaton:emaaxx_series_epdu:-:*:*:*:*:*:*:*", "matchCriteriaId": "02E9FBE3-0626-4442-ADF4-B8C5D7F30C0B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:eaton:eswaxx_series_epdu_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D1A9302-1F03-4198-85E2-7AA8C769F643", "versionEndIncluding": "01-31-2014", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:eaton:eswaxx_series_epdu:-:*:*:*:*:*:*:*", "matchCriteriaId": "0CFDA803-A346-4C19-9572-490971558551", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal)."}, {"lang": "es", "value": "Ha sido descubierto un problema en ciertas legacy Eaton ePDUs -- los productos afectados han pasado el t\u00e9rmino de vida \u00fatil (EoL) y ya no son compatibles: EAMxxx antes del 30 de junio de 2015, EMAxxx antes del 31 de enero de 2014, EAMAxx antes del 31 de enero , 2014, EMAAxx antes del 31 de enero de 2014 y ESWAxx antes del 31 de enero de 2014. Un atacante no autenticado puede tener acceso a los archivos de configuraci\u00f3n con una URL especialmente manipulada (Salto de Ruta)."}], "id": "CVE-2016-9357", "lastModified": "2017-03-16T17:54:11.740", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-13T21:59:02.017", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95817"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}