CVE-2017-9386 - OpenCVE

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called "get_file.sh" which allows a user to retrieve any file stored in the "cmh-ext" folder on the device. However, the "filename" parameter is not validated correctly and this allows an attacker to directory traverse outside the /cmh-ext folder and read any file on the device. It is necessary to create the folder "cmh-ext" on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Getvera	Veraedge Firmware Veraedge Veralite Firmware Veralite

Configuration 1 [-]

AND

cpe:2.3:o:getvera:veraedge_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:getvera:veraedge:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:getvera:veralite_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:getvera:veralite:-:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html	Third Party Advisory VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf	Exploit Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-17T19:31:01

Updated: 2019-06-17T19:31:44

Reserved: 2017-06-02T00:00:00

Link: CVE-2017-9386

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-17T20:15:09.337

Modified: 2019-06-21T13:43:15.167

Link: CVE-2017-9386

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-06-07T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called \"get_file.sh\" which allows a user to retrieve any file stored in the \"cmh-ext\" folder on the device. However, the \"filename\" parameter is not validated correctly and this allows an attacker to directory traverse outside the /cmh-ext folder and read any file on the device. It is necessary to create the folder \"cmh-ext\" on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-17T19:31:44", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20190609 Newly releases IoT security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-9386", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called \"get_file.sh\" which allows a user to retrieve any file stored in the \"cmh-ext\" folder on the device. However, the \"filename\" parameter is not validated correctly and this allows an attacker to directory traverse outside the /cmh-ext folder and read any file on the device. It is necessary to create the folder \"cmh-ext\" on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20190609 Newly releases IoT security issues", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"name": "http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html"}, {"name": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf", "refsource": "MISC", "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-9386", "datePublished": "2019-06-17T19:31:01", "dateReserved": "2017-06-02T00:00:00", "dateUpdated": "2019-06-17T19:31:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:getvera:veraedge_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "49C1D79D-A586-4D41-A10C-1815E6E0D765", "versionEndIncluding": "1.7.19", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:getvera:veraedge:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A3D3CAC-84A4-4F14-8FB6-1E6437F8D2C0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:getvera:veralite_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC96E7A8-DB6C-47C8-9B33-AE4ED418C70E", "versionEndIncluding": "1.7.481", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:getvera:veralite:-:*:*:*:*:*:*:*", "matchCriteriaId": "914728A7-7BA3-4612-A6AA-172B24431947", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides a script file called \"get_file.sh\" which allows a user to retrieve any file stored in the \"cmh-ext\" folder on the device. However, the \"filename\" parameter is not validated correctly and this allows an attacker to directory traverse outside the /cmh-ext folder and read any file on the device. It is necessary to create the folder \"cmh-ext\" on the device which can be executed by an attacker first in an unauthenticated fashion and then execute a directory traversal attack."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos VeraEdge versi\u00f3n 1.7.19 y versi\u00f3n Veralite 1.7.481 de Vera. El dispositivo proporciona un archivo script llamado \"get_file.sh\" que le permite al usuario recuperar cualquier archivo almacenado en la carpeta \"cmh-ext\" del dispositivo. Sin embargo, el par\u00e1metro \"filename\" no se comprueba correctamente y esto permite a un atacante saltar de directorio fuera de la carpeta /cmh-ext y leer cualquier archivo en el dispositivo. Es necesario crear la carpeta \"cmh-ext\" en el dispositivo que puede ser ejecutada primero por un atacante de manera no autenticada y luego ejecutar un ataque de salto de directorio."}], "id": "CVE-2017-9386", "lastModified": "2019-06-21T13:43:15.167", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-17T20:15:09.337", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}