Sign-up

ID

VAR-201807-0264


CVE

CVE-2017-3209


TITLE

DBPOWER U818A WIFI quadcopter drone allows full filesystem permissions to anonymous FTP

Trust: 0.8

sources: CERT/CC: VU#334207

DESCRIPTION

The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. The DBPower U818A WIFI quadcopter drone runs an FTP server that by default allows anonymous access without a password, and provides full filesystem read/write permissions to the anonymous user. A remote user within range of the open access point on the drone may utilize the anonymous user of the FTP server to read arbitrary files, such as images and video recorded by the device, or to replace system files such as /etc/shadow to gain further access to the device. Furthermore, the DBPOWER U818A WIFI quadcopter drone uses BusyBox 1.20.2, which was released in 2012, and may be vulnerable to other known BusyBox vulnerabilities. U818A WIFI As an access point Wi-Fi A connection function is implemented. U818A WIFI Is a quadcopter that supports shooting images and videos from the air. A drone. In addition, it is possible to read and write to the entire file system in the drone. Also, U818A WIFI Is BusyBox 1.20.2 using. There is a security bypass vulnerability in DBPOWERU818A. An attacker could exploit the vulnerability to bypass security restrictions

Trust: 3.24

sources: NVD: CVE-2017-3209 // CERT/CC: VU#334207 // JVNDB: JVNDB-2017-002442 // CNVD: CNVD-2017-11030 // BID: 97564 // VULHUB: VHN-111412

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-11030

AFFECTED PRODUCTS

vendor:dbpowermodel:u818ascope:eqversion: -

Trust: 1.6

vendor:dbpowermodel:u818ascope:eqversion:0

Trust: 0.9

vendor:dbpowermodel: - scope: - version: -

Trust: 0.8

vendor:dbpowermodel:u818a wifiscope: - version: -

Trust: 0.8

sources: CERT/CC: VU#334207 // CNVD: CNVD-2017-11030 // BID: 97564 // JVNDB: JVNDB-2017-002442 // CNNVD: CNNVD-201704-1001 // NVD: CVE-2017-3209

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3209
value: HIGH

Trust: 1.0

NVD: CVE-2017-3209
value: HIGH

Trust: 0.8

IPA: JVNDB-2017-002442
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-11030
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201704-1001
value: HIGH

Trust: 0.6

VULHUB: VHN-111412
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3209
severity: MEDIUM
baseScore: 4.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2017-3209
severity: HIGH
baseScore: 7.8
vectorString: NONE
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2017-002442
severity: HIGH
baseScore: 7.8
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:N
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-11030
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-111412
severity: MEDIUM
baseScore: 4.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3209
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 1.0

IPA: JVNDB-2017-002442
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CERT/CC: VU#334207 // CNVD: CNVD-2017-11030 // VULHUB: VHN-111412 // JVNDB: JVNDB-2017-002442 // CNNVD: CNNVD-201704-1001 // NVD: CVE-2017-3209

PROBLEMTYPE DATA

problemtype:CWE-276

Trust: 1.9

problemtype:CWE-306

Trust: 1.1

problemtype:CWE-284

Trust: 0.1

sources: VULHUB: VHN-111412 // JVNDB: JVNDB-2017-002442 // NVD: CVE-2017-3209

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201704-1001

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201704-1001

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-002442

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#334207

PATCH
title:Top Pageurl:http://www.dbpower.co.uk/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-002442

EXTERNAL IDS
db:CERT/CCid:VU#334207
Trust: 3.6
db:NVDid:CVE-2017-3209
Trust: 3.4
db:BIDid:97564
Trust: 2.6
db:JVNid:JVNVU91711014
Trust: 0.8
db:JVNDBid:JVNDB-2017-002442
Trust: 0.8
db:CNNVDid:CNNVD-201704-1001
Trust: 0.7
db:CNVDid:CNVD-2017-11030
Trust: 0.6
db:VULHUBid:VHN-111412
Trust: 0.1
sources:
            
            
            CERT/CC: VU#334207 // 
            
            
            
            CNVD: CNVD-2017-11030 // 
            
            
            
            VULHUB: VHN-111412 // 
            
            
            
            BID: 97564 // 
            
            
            
            JVNDB: JVNDB-2017-002442 // 
            
            
            
            CNNVD: CNNVD-201704-1001 // 
            
            
            
            NVD: CVE-2017-3209

REFERENCES
url:https://www.kb.cert.org/vuls/id/334207
Trust: 2.8
url:https://www.securityfocus.com/bid/97564
Trust: 2.3
url:https://dl.acm.org/citation.cfm?id=3139943
Trust: 1.7
url:http://cwe.mitre.org/data/definitions/276.html
Trust: 0.8
url:http://dbpower.co.uk
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3209
Trust: 0.8
url:http://jvn.jp/vu/jvnvu91711014/index.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-3209
Trust: 0.8
url:http://dbpower.co.uk/
Trust: 0.3
sources:
            
            
            CERT/CC: VU#334207 // 
            
            
            
            CNVD: CNVD-2017-11030 // 
            
            
            
            VULHUB: VHN-111412 // 
            
            
            
            BID: 97564 // 
            
            
            
            JVNDB: JVNDB-2017-002442 // 
            
            
            
            CNNVD: CNNVD-201704-1001 // 
            
            
            
            NVD: CVE-2017-3209

CREDITS
Junia Valente
Trust: 0.9
sources:
            
            
            BID: 97564 // 
            
            
            
            CNNVD: CNNVD-201704-1001

SOURCES
db:CERT/CCid:VU#334207
db:CNVDid:CNVD-2017-11030
db:VULHUBid:VHN-111412
db:BIDid:97564
db:JVNDBid:JVNDB-2017-002442
db:CNNVDid:CNNVD-201704-1001
db:NVDid:CVE-2017-3209

LAST UPDATE DATE
2024-09-09T23:00:43.238000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#334207date:2017-04-24T00:00:00
db:CNVDid:CNVD-2017-11030date:2019-05-17T00:00:00
db:VULHUBid:VHN-111412date:2020-05-28T00:00:00
db:BIDid:97564date:2017-04-18T02:04:00
db:JVNDBid:JVNDB-2017-002442date:2019-07-24T00:00:00
db:CNNVDid:CNNVD-201704-1001date:2019-10-17T00:00:00
db:NVDid:CVE-2017-3209date:2020-05-28T19:04:00.627

SOURCES RELEASE DATE
db:CERT/CCid:VU#334207date:2017-04-11T00:00:00
db:CNVDid:CNVD-2017-11030date:2017-06-23T00:00:00
db:VULHUBid:VHN-111412date:2018-07-24T00:00:00
db:BIDid:97564date:2017-04-11T00:00:00
db:JVNDBid:JVNDB-2017-002442date:2017-04-13T00:00:00
db:CNNVDid:CNNVD-201704-1001date:2017-04-11T00:00:00
db:NVDid:CVE-2017-3209date:2018-07-24T15:29:00.687