Sign-up

ID

VAR-201707-0413


CVE

CVE-2017-2185


TITLE

HOME SPOT CUBE2 vulnerable to OS command injection in WebUI

Trust: 0.8

sources: JVNDB: JVNDB-2017-000137

DESCRIPTION

HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via WebUI. HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An arbitrary OS command may be executed by an attacker who can access the management screen of the product. The WebUI is one of the graphical user interfaces. An operating system command injection vulnerability exists in the WebUI in KDDIHOMESPOTCUBE2 using firmware versions 101 and earlier. A remote attacker could exploit this vulnerability to execute arbitrary operating system commands. HOME SPOT CUBE2 is prone to following security vulnerabilities: 1. A buffer-overflow vulnerability 3. Other attacks may also be possible

Trust: 2.52

sources: NVD: CVE-2017-2185 // JVNDB: JVNDB-2017-000137 // CNVD: CNVD-2017-14891 // BID: 99282 // VULHUB: VHN-110388

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-14891

AFFECTED PRODUCTS

vendor:kddimodel:home spot cube 2scope:eqversion:v100

Trust: 1.6

vendor:kddimodel:home spot cube 2scope:eqversion:v101

Trust: 1.6

vendor:kddimodel:home spot cube2scope:lteversion:v101

Trust: 0.8

vendor:kddimodel:home spot cube2scope:lteversion:<=v101

Trust: 0.6

vendor:kddimodel:home spot cubescope:eqversion:101

Trust: 0.3

vendor:kddimodel:home spot cubescope:neversion:102

Trust: 0.3

sources: CNVD: CNVD-2017-14891 // BID: 99282 // JVNDB: JVNDB-2017-000137 // CNNVD: CNNVD-201706-1112 // NVD: CVE-2017-2185

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-2185
value: HIGH

Trust: 1.0

IPA: JVNDB-2017-000137
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-14891
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-1112
value: MEDIUM

Trust: 0.6

VULHUB: VHN-110388
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-2185
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2017-000137
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-14891
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-110388
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-2185
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2017-000137
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-14891 // VULHUB: VHN-110388 // JVNDB: JVNDB-2017-000137 // CNNVD: CNNVD-201706-1112 // NVD: CVE-2017-2185

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.9

sources: VULHUB: VHN-110388 // JVNDB: JVNDB-2017-000137 // NVD: CVE-2017-2185

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201706-1112

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201706-1112

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-000137

PATCH
title:About Firmware update for HOME SPOT CUBE2url:https://www.au.com/information/notice_mobile/update/update-20170612-01/
Trust: 0.8
title:Patch for KDDIHOMESPOTCUBE2WebUI Operating System Command Injection Vulnerability (CNVD-2017-14891)url:https://www.cnvd.org.cn/patchInfo/show/98208
Trust: 0.6
title:KDDI HOME SPOT CUBE Fixes for operating system command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71311
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-14891 // 
            
            
            
            JVNDB: JVNDB-2017-000137 // 
            
            
            
            CNNVD: CNNVD-201706-1112

EXTERNAL IDS
db:JVNid:JVN24348065
Trust: 3.4
db:NVDid:CVE-2017-2185
Trust: 3.4
db:BIDid:99282
Trust: 2.0
db:JVNDBid:JVNDB-2017-000137
Trust: 0.8
db:CNNVDid:CNNVD-201706-1112
Trust: 0.7
db:CNVDid:CNVD-2017-14891
Trust: 0.6
db:VULHUBid:VHN-110388
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-14891 // 
            
            
            
            VULHUB: VHN-110388 // 
            
            
            
            BID: 99282 // 
            
            
            
            JVNDB: JVNDB-2017-000137 // 
            
            
            
            CNNVD: CNNVD-201706-1112 // 
            
            
            
            NVD: CVE-2017-2185

REFERENCES
url:http://jvn.jp/en/jp/jvn24348065/index.html
Trust: 2.8
url:http://www.securityfocus.com/bid/99282
Trust: 1.7
url:https://www.au.com/information/notice_mobile/update/update-20170612-01/
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-2185
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-2185
Trust: 0.8
url:http://jvn.jp/en/jp/jvn24348065/
Trust: 0.6
url:http://www.kddi.com/english/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2017-14891 // 
            
            
            
            VULHUB: VHN-110388 // 
            
            
            
            BID: 99282 // 
            
            
            
            JVNDB: JVNDB-2017-000137 // 
            
            
            
            CNNVD: CNNVD-201706-1112 // 
            
            
            
            NVD: CVE-2017-2185

CREDITS
Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc.
Trust: 0.9
sources:
            
            
            BID: 99282 // 
            
            
            
            CNNVD: CNNVD-201706-1112

SOURCES
db:CNVDid:CNVD-2017-14891
db:VULHUBid:VHN-110388
db:BIDid:99282
db:JVNDBid:JVNDB-2017-000137
db:CNNVDid:CNNVD-201706-1112
db:NVDid:CVE-2017-2185

LAST UPDATE DATE
2024-11-23T22:12:59.063000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-14891date:2017-07-17T00:00:00
db:VULHUBid:VHN-110388date:2017-07-14T00:00:00
db:BIDid:99282date:2017-06-22T00:00:00
db:JVNDBid:JVNDB-2017-000137date:2018-02-14T00:00:00
db:CNNVDid:CNNVD-201706-1112date:2017-07-10T00:00:00
db:NVDid:CVE-2017-2185date:2024-11-21T03:23:03.330

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-14891date:2017-07-17T00:00:00
db:VULHUBid:VHN-110388date:2017-07-07T00:00:00
db:BIDid:99282date:2017-06-22T00:00:00
db:JVNDBid:JVNDB-2017-000137date:2017-06-21T00:00:00
db:CNNVDid:CNNVD-201706-1112date:2017-06-27T00:00:00
db:NVDid:CVE-2017-2185date:2017-07-07T13:29:00.380