Details of VAR-201707-0412

ID

VAR-201707-0412

CVE

CVE-2017-2184

TITLE

HOME SPOT CUBE2 vulnerable to buffer overflow in WebUI

Trust: 0.8

sources: JVNDB: JVNDB-2017-000136

DESCRIPTION

Buffer overflow in HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to execute arbitrary code via WebUI. HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Arbitrary code may be executed by an attacker who can access the management screen of the product. The WebUI is one of the graphical user interfaces. Multiple remote command injection vulnerabilities 2. A buffer-overflow vulnerability 3. Other attacks may also be possible

Trust: 2.52

sources: NVD: CVE-2017-2184 // JVNDB: JVNDB-2017-000136 // CNVD: CNVD-2017-14890 // BID: 99282 // VULHUB: VHN-110387

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-14890

AFFECTED PRODUCTS

vendor:	kddi	model:	home spot cube 2	scope:	eq	version:	v100	Trust: 1.6
vendor:	kddi	model:	home spot cube 2	scope:	eq	version:	v101	Trust: 1.6
vendor:	kddi	model:	home spot cube2	scope:	lte	version:	v101	Trust: 0.8
vendor:	kddi	model:	home spot cube2	scope:	lte	version:	<=v101	Trust: 0.6
vendor:	kddi	model:	home spot cube	scope:	eq	version:	101	Trust: 0.3
vendor:	kddi	model:	home spot cube	scope:	ne	version:	102	Trust: 0.3

sources: CNVD: CNVD-2017-14890 // BID: 99282 // JVNDB: JVNDB-2017-000136 // CNNVD: CNNVD-201706-1111 // NVD: CVE-2017-2184

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-2184
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2017-000136
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2017-14890
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201706-1111
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-110387
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-2184
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2017-000136
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2017-14890
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-110387
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-2184
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0
IPA:	JVNDB-2017-000136
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2017-14890 // VULHUB: VHN-110387 // JVNDB: JVNDB-2017-000136 // CNNVD: CNNVD-201706-1111 // NVD: CVE-2017-2184

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-110387 // JVNDB: JVNDB-2017-000136 // NVD: CVE-2017-2184

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201706-1111

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201706-1111

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-000136

PATCH

title:	About Firmware update for HOME SPOT CUBE2	url:	https://www.au.com/information/notice_mobile/update/update-20170612-01/	Trust: 0.8
title:	KDDIHOMESPOTCUBE2WebUI Buffer Overflow Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/98207	Trust: 0.6
title:	KDDI HOME SPOT CUBE Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71310	Trust: 0.6

sources: CNVD: CNVD-2017-14890 // JVNDB: JVNDB-2017-000136 // CNNVD: CNNVD-201706-1111

EXTERNAL IDS

db:	JVN	id:	JVN24348065	Trust: 3.4
db:	NVD	id:	CVE-2017-2184	Trust: 3.4
db:	BID	id:	99282	Trust: 2.0
db:	JVNDB	id:	JVNDB-2017-000136	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-1111	Trust: 0.7
db:	CNVD	id:	CNVD-2017-14890	Trust: 0.6
db:	VULHUB	id:	VHN-110387	Trust: 0.1

sources: CNVD: CNVD-2017-14890 // VULHUB: VHN-110387 // BID: 99282 // JVNDB: JVNDB-2017-000136 // CNNVD: CNNVD-201706-1111 // NVD: CVE-2017-2184

REFERENCES

url:	http://jvn.jp/en/jp/jvn24348065/index.html	Trust: 2.8
url:	http://www.securityfocus.com/bid/99282	Trust: 1.7
url:	https://www.au.com/information/notice_mobile/update/update-20170612-01/	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2184	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-2184	Trust: 0.8
url:	http://jvn.jp/en/jp/jvn24348065/	Trust: 0.6
url:	http://www.kddi.com/english/	Trust: 0.3

sources: CNVD: CNVD-2017-14890 // VULHUB: VHN-110387 // BID: 99282 // JVNDB: JVNDB-2017-000136 // CNNVD: CNNVD-201706-1111 // NVD: CVE-2017-2184

CREDITS

Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc.

Trust: 0.9

sources: BID: 99282 // CNNVD: CNNVD-201706-1111

SOURCES

db:	CNVD	id:	CNVD-2017-14890
db:	VULHUB	id:	VHN-110387
db:	BID	id:	99282
db:	JVNDB	id:	JVNDB-2017-000136
db:	CNNVD	id:	CNNVD-201706-1111
db:	NVD	id:	CVE-2017-2184

LAST UPDATE DATE

2024-11-23T22:12:58.989000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-14890	date:	2017-07-17T00:00:00
db:	VULHUB	id:	VHN-110387	date:	2017-07-14T00:00:00
db:	BID	id:	99282	date:	2017-06-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-000136	date:	2018-02-14T00:00:00
db:	CNNVD	id:	CNNVD-201706-1111	date:	2017-07-10T00:00:00
db:	NVD	id:	CVE-2017-2184	date:	2024-11-21T03:23:03.207

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-14890	date:	2017-07-17T00:00:00
db:	VULHUB	id:	VHN-110387	date:	2017-07-07T00:00:00
db:	BID	id:	99282	date:	2017-06-22T00:00:00
db:	JVNDB	id:	JVNDB-2017-000136	date:	2017-06-21T00:00:00
db:	CNNVD	id:	CNNVD-201706-1111	date:	2017-06-27T00:00:00
db:	NVD	id:	CVE-2017-2184	date:	2017-07-07T13:29:00.350