CVE-2018-14705 - OpenCVE

In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Drobo	5n2 Firmware 5n2

Configuration 1 [-]

AND

cpe:2.3:o:drobo:5n2_firmware:4.0.5:*:*:*:*:*:*:*

cpe:2.3:h:drobo:5n2:-:*:*:*:*:*:*:*

References

Link	Resource
https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc	Third Party Advisory
https://www.ise.io/casestudies/sohopelessly-broken-2-0/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-24T18:16:20

Updated: 2020-02-24T18:16:20

Reserved: 2018-07-28T00:00:00

Link: CVE-2018-14705

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-24T19:15:12.010

Modified: 2020-03-02T15:27:46.870

Link: CVE-2018-14705

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-24T18:16:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc"}, {"tags": ["x_refsource_MISC"], "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}], "title": "Lack of Authentication/Authorization on Administrative Web Pages", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14705", "STATE": "PUBLIC", "TITLE": "Lack of Authentication/Authorization on Administrative Web Pages"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc", "refsource": "MISC", "url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc"}, {"name": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/", "refsource": "MISC", "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14705", "datePublished": "2020-02-24T18:16:20", "dateReserved": "2018-07-28T00:00:00", "dateUpdated": "2020-02-24T18:16:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:drobo:5n2_firmware:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "1668799A-01C3-4B54-9C47-3FB9A61C7F9E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:drobo:5n2:-:*:*:*:*:*:*:*", "matchCriteriaId": "07D3025D-7247-4F25-9F2D-5F0DDAEEAC08", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself."}, {"lang": "es", "value": "En Drobo 5N2 versi\u00f3n 4.0.5, todas las aplicaciones opcionales presentan una carencia de cualquier forma de comprobaci\u00f3n de autenticaci\u00f3n/autorizaci\u00f3n. Como resultado, cualquier usuario capaz de acceder al dispositivo por medio de la red, puede interactuar y controlar estas aplicaciones. Esto no solo plantea un grave riesgo para la disponibilidad de estas aplicaciones, sino que tambi\u00e9n plantea graves riesgos para la confidencialidad e integridad de los datos almacenados dentro de las aplicaciones y del dispositivo en s\u00ed."}], "id": "CVE-2018-14705", "lastModified": "2020-03-02T15:27:46.870", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-24T19:15:12.010", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}