Details of VAR-201704-0142

ID

VAR-201704-0142

CVE

CVE-2016-5071

TITLE

Sierra Wireless GX 440 Device ALEOS Firmware vulnerabilities related to authorization, authority, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2016-008303

DESCRIPTION

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root. Sierra Wireless GX 440 Device ALEOS Firmware contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. The SierraWirelessGX440 has a privilege escalation vulnerability that can be exploited by remote attackers to submit special requests and escalate permissions. A security vulnerability exists in the Sierra Wireless GX440 using ALEOS firmware version 4.3.2. An attacker can exploit this vulnerability to operate and manage web applications with root privileges

Trust: 2.25

sources: NVD: CVE-2016-5071 // JVNDB: JVNDB-2016-008303 // CNVD: CNVD-2017-10178 // VULHUB: VHN-93890

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-10178

AFFECTED PRODUCTS

vendor:	sierrawireless	model:	aleos	scope:	eq	version:	4.3.2	Trust: 1.6
vendor:	sierra	model:	aleos	scope:	eq	version:	4.3.2	Trust: 0.8
vendor:	sierra	model:	wireless gx440	scope:	eq	version:	4.3.2	Trust: 0.6

sources: CNVD: CNVD-2017-10178 // JVNDB: JVNDB-2016-008303 // CNNVD: CNNVD-201704-504 // NVD: CVE-2016-5071

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5071
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-5071
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-10178
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201704-504
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-93890
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-5071
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-10178
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-93890
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-5071
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-10178 // VULHUB: VHN-93890 // JVNDB: JVNDB-2016-008303 // CNNVD: CNNVD-201704-504 // NVD: CVE-2016-5071

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-93890 // JVNDB: JVNDB-2016-008303 // NVD: CVE-2016-5071

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-504

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201704-504

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008303

PATCH

title:	Getting started with AirLink Intelligent Gateways	url:	https://source.sierrawireless.com/airvantage/avc/howto/hardware/airlink_getting_started/	Trust: 0.8
title:	Patch for the SierraWirelessGX440 Privilege Escalation Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/95709	Trust: 0.6
title:	Sierra Wireless GX440 Fixes for permission permissions and access control vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=70152	Trust: 0.6

sources: CNVD: CNVD-2017-10178 // JVNDB: JVNDB-2016-008303 // CNNVD: CNNVD-201704-504

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5071	Trust: 3.1
db:	JVNDB	id:	JVNDB-2016-008303	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-504	Trust: 0.7
db:	CNVD	id:	CNVD-2017-10178	Trust: 0.6
db:	VULHUB	id:	VHN-93890	Trust: 0.1

sources: CNVD: CNVD-2017-10178 // VULHUB: VHN-93890 // JVNDB: JVNDB-2016-008303 // CNNVD: CNNVD-201704-504 // NVD: CVE-2016-5071

REFERENCES

url:	https://carvesystems.com/sierra-wireless-2016-advisory.html	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5071	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5071	Trust: 0.8

sources: CNVD: CNVD-2017-10178 // VULHUB: VHN-93890 // JVNDB: JVNDB-2016-008303 // CNNVD: CNNVD-201704-504 // NVD: CVE-2016-5071

SOURCES

db:	CNVD	id:	CNVD-2017-10178
db:	VULHUB	id:	VHN-93890
db:	JVNDB	id:	JVNDB-2016-008303
db:	CNNVD	id:	CNNVD-201704-504
db:	NVD	id:	CVE-2016-5071

LAST UPDATE DATE

2024-11-23T21:41:31.480000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-10178	date:	2017-06-19T00:00:00
db:	VULHUB	id:	VHN-93890	date:	2017-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-008303	date:	2017-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201704-504	date:	2017-05-22T00:00:00
db:	NVD	id:	CVE-2016-5071	date:	2024-11-21T02:53:34.690

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-10178	date:	2017-06-19T00:00:00
db:	VULHUB	id:	VHN-93890	date:	2017-04-10T00:00:00
db:	JVNDB	id:	JVNDB-2016-008303	date:	2017-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201704-504	date:	2017-04-09T00:00:00
db:	NVD	id:	CVE-2016-5071	date:	2017-04-10T03:59:01.780