Details of VAR-201712-1083

ID

VAR-201712-1083

CVE

CVE-2017-6679

TITLE

Cisco Umbrella Vulnerabilities related to security functions in virtual appliances

Trust: 0.8

sources: JVNDB: JVNDB-2017-011019

DESCRIPTION

The Cisco Umbrella Virtual Appliance Version 2.0.3 and prior contained an undocumented encrypted remote support tunnel (SSH) which auto initiated from the customer's appliance to Cisco's SSH Hubs in the Umbrella datacenters. These tunnels were primarily leveraged for remote support and allowed for authorized/authenticated personnel from the Cisco Umbrella team to access the appliance remotely and obtain full control without explicit customer approval. To address this vulnerability, the Umbrella Virtual Appliance version 2.1.0 now requires explicit customer approval before an SSH tunnel from the VA to the Cisco terminating server can be established. Cisco Umbrella Virtual appliances contain vulnerabilities related to security features.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CiscoUmbrellaVirtualAppliance is a cloud-based secure Internet gateway device from Cisco. A security vulnerability exists in Cisco Umbrella VirtualAppliance 2.0.3 and earlier. This vulnerability could be exploited by a remote attacker to gain access to the device and to fully control the device. This may lead to further attacks. Timeline December 22, 2015 - Notified OpenDNS via security@opendns.com December 22, 2015 - OpenDNS responded stating that they will investigate January 4, 2016 - Asked for an update on their investigation January 11, 2016 - OpenDNS said they are working through a number of options to resolve the issue February 2, 2016 - OpenDNS advised they've shortlisted a couple of solutions and will provide another update in a week or so February 17, 2016 - OpenDNS said they would like to schedule a call to discuss February 24, 2016 - Had a call with OpenDNS to discuss possible solutions April 22, 2016 - Asked for an update on the progress of the fix May 3, 2016 - Asked for an update on the progress of the fix July 27, 2016 - Sent the vulnerability details to the Cisco PSIRT team July 29, 2016 - Cisco assigned a case number and asked to schedule a call to discuss August 17, 2016 - Had a call with the Cisco PSIRT team to discuss possible solutions September 26, 2016 - Asked for an update on the progress of the fix October 6, 2016 - Cisco provided a status update December 14, 2016 - Asked for an update on the progress of the fix December 19, 2016 - Cisco provided a status update January 10, 2017 - Asked for an update on the progress of the fix January 10, 2017 - Cisco provided a status update May 26, 2017 - Cisco assigned CVE-2017-6679 and advised that the issue would be made public in the next week June 2, 2017 - Cisco asked to move the disclosure date to August 31, 2017 August 30, 2017 - Cisco released virtual appliance version 2.1.0 which resolves this vulnerability by removing the undocumented reverse SSH tunnel September 21, 2017 - Cisco published a security advisory to document this issue Solution Upgrade to virtual appliance 2.1.0 or later https://support.umbrella.com/hc/en-us/articles/115004752143-Virtual-Appliance-Vulnerability-due-to-always-on-SSH-Tunnel-RESOLVED-2017-09-15 CVE-ID: CVE-2017-6679

Trust: 2.7

sources: NVD: CVE-2017-6679 // JVNDB: JVNDB-2017-011019 // CNVD: CNVD-2017-33270 // BID: 101567 // VULHUB: VHN-114882 // VULMON: CVE-2017-6679 // PACKETSTORM: 144723

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-33270

AFFECTED PRODUCTS

vendor:	cisco	model:	umbrella virtual appliance	scope:	eq	version:	2.0.3	Trust: 1.7
vendor:	cisco	model:	umbrella	scope:	lte	version:	2.0.3	Trust: 1.0
vendor:	cisco	model:	umbrella	scope:	eq	version:	2.0.3	Trust: 0.6
vendor:	cisco	model:	umbrella virtual appliance	scope:	ne	version:	2.1	Trust: 0.3

sources: CNVD: CNVD-2017-33270 // BID: 101567 // JVNDB: JVNDB-2017-011019 // CNNVD: CNNVD-201710-1275 // NVD: CVE-2017-6679

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6679
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-6679
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-33270
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201710-1275
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-114882
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2017-6679
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-6679
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:L/AC:H/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	1.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-33270
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-114882
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:L/AC:H/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	HIGH
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	1.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-6679
baseSeverity:	MEDIUM
baseScore:	6.4
vectorString:	CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.5
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-33270 // VULHUB: VHN-114882 // VULMON: CVE-2017-6679 // JVNDB: JVNDB-2017-011019 // CNNVD: CNNVD-201710-1275 // NVD: CVE-2017-6679

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-254	Trust: 0.9

sources: VULHUB: VHN-114882 // JVNDB: JVNDB-2017-011019 // NVD: CVE-2017-6679

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201710-1275

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201710-1275

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011019

PATCH

title:	On-Demand Tech Support SSH Tunnel for Virtual Appliances	url:	https://support.umbrella.com/hc/en-us/articles/115004154423	Trust: 0.8
title:	Virtual Appliance - Vulnerability due to always-on SSH Tunnel - RESOLVED - 2017-09-15	url:	https://support.umbrella.com/hc/en-us/articles/115004752143-Virtual-Appliance-Vulnerability-due-to-always-on-SSH-Tunnel-RESOLVED-2017-09-15	Trust: 0.8
title:	CiscoUmbrellaVirtualAppliance does not authorize access to vulnerable patches	url:	https://www.cnvd.org.cn/patchInfo/show/105728	Trust: 0.6
title:	Cisco Umbrella Virtual Appliance Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=76040	Trust: 0.6
title:	Cisco: Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-umbrella-tunnel-gJw5thgE	Trust: 0.1

sources: CNVD: CNVD-2017-33270 // VULMON: CVE-2017-6679 // JVNDB: JVNDB-2017-011019 // CNNVD: CNNVD-201710-1275

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6679	Trust: 3.6
db:	BID	id:	101567	Trust: 2.7
db:	JVNDB	id:	JVNDB-2017-011019	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-1275	Trust: 0.7
db:	CNVD	id:	CNVD-2017-33270	Trust: 0.6
db:	PACKETSTORM	id:	144723	Trust: 0.2
db:	VULHUB	id:	VHN-114882	Trust: 0.1
db:	VULMON	id:	CVE-2017-6679	Trust: 0.1

sources: CNVD: CNVD-2017-33270 // VULHUB: VHN-114882 // VULMON: CVE-2017-6679 // BID: 101567 // JVNDB: JVNDB-2017-011019 // PACKETSTORM: 144723 // CNNVD: CNNVD-201710-1275 // NVD: CVE-2017-6679

REFERENCES

url:	https://support.umbrella.com/hc/en-us/articles/115004752143-virtual-appliance-vulnerability-due-to-always-on-ssh-tunnel-resolved-2017-09-15	Trust: 2.2
url:	http://www.securityfocus.com/bid/101567	Trust: 1.9
url:	https://support.umbrella.com/hc/en-us/articles/115004154423	Trust: 1.8
url:	https://www.info-sec.ca/advisories/cisco-umbrella.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6679	Trust: 1.5
url:	https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-umbrella-tunnel-gjw5thge	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6679	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://umbrella.cisco.com/)	Trust: 0.1

CREDITS

David Coomber.

Trust: 0.9

sources: BID: 101567 // CNNVD: CNNVD-201710-1275

SOURCES

db:	CNVD	id:	CNVD-2017-33270
db:	VULHUB	id:	VHN-114882
db:	VULMON	id:	CVE-2017-6679
db:	BID	id:	101567
db:	JVNDB	id:	JVNDB-2017-011019
db:	PACKETSTORM	id:	144723
db:	CNNVD	id:	CNNVD-201710-1275
db:	NVD	id:	CVE-2017-6679

LAST UPDATE DATE

2024-11-23T22:56:01.995000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-33270	date:	2017-11-09T00:00:00
db:	VULHUB	id:	VHN-114882	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2017-6679	date:	2023-08-17T00:00:00
db:	BID	id:	101567	date:	2017-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-011019	date:	2017-12-28T00:00:00
db:	CNNVD	id:	CNNVD-201710-1275	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2017-6679	date:	2024-11-21T03:30:17.310

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-33270	date:	2017-11-09T00:00:00
db:	VULHUB	id:	VHN-114882	date:	2017-12-01T00:00:00
db:	VULMON	id:	CVE-2017-6679	date:	2017-12-01T00:00:00
db:	BID	id:	101567	date:	2017-10-24T00:00:00
db:	JVNDB	id:	JVNDB-2017-011019	date:	2017-12-28T00:00:00
db:	PACKETSTORM	id:	144723	date:	2017-10-24T12:22:22
db:	CNNVD	id:	CNNVD-201710-1275	date:	2017-10-24T00:00:00
db:	NVD	id:	CVE-2017-6679	date:	2017-12-01T17:29:00.667