Details of VAR-201906-0769

ID

VAR-201906-0769

CVE

CVE-2017-8328

TITLE

plural Securifi Almond Device firmware cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-014542

DESCRIPTION

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of changing the administrative password for the web management interface. It seems that the device does not implement any cross site request forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface to change a user's password. Also this is a systemic issue. Securifi Almond , Almond+ , Almond 2015 The device firmware contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SecurifiAlmond is a wireless router with a touch screen. A server-side request forgery vulnerability exists in SecurifiAlmond, Almond+, and Almond2015 using AL-R096 firmware, which can be exploited by remote attackers to trick users into modifying user passwords

Trust: 2.34

sources: NVD: CVE-2017-8328 // JVNDB: JVNDB-2017-014542 // CNVD: CNVD-2019-18747 // VULHUB: VHN-116531 // VULMON: CVE-2017-8328

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-18747

AFFECTED PRODUCTS

vendor:	securifi	model:	almond 2015	scope:	eq	version:	al-r096	Trust: 1.8
vendor:	securifi	model:	almond	scope:	eq	version:	al-r096	Trust: 1.8
vendor:	securifi	model:	almond\+	scope:	eq	version:	al-r096	Trust: 1.0
vendor:	securifi	model:	almond+	scope:	eq	version:	al-r096	Trust: 0.8
vendor:	securifi	model:	almond+ al-r096	scope:	-	version:	-	Trust: 0.6
vendor:	securifi	model:	almond-2015 al-r096	scope:	-	version:	-	Trust: 0.6
vendor:	securifi	model:	almond al-r096	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2019-18747 // JVNDB: JVNDB-2017-014542 // NVD: CVE-2017-8328

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-8328
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-8328
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-18747
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201906-713
value:	HIGH
Trust: 0.6
VULHUB:	VHN-116531
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-8328
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-8328
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-18747
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-116531
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-8328
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-18747 // VULHUB: VHN-116531 // VULMON: CVE-2017-8328 // JVNDB: JVNDB-2017-014542 // CNNVD: CNNVD-201906-713 // NVD: CVE-2017-8328

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-116531 // JVNDB: JVNDB-2017-014542 // NVD: CVE-2017-8328

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-713

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201906-713

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014542

PATCH

title:	almond	url:	https://www.securifi.com/ja/almond	Trust: 0.8
title:	almondplus	url:	https://www.securifi.com/ja/almondplus	Trust: 0.8
title:	almond-2015	url:	https://www.securifi.com/ja/almond-2015	Trust: 0.8
title:	SecurifiAlmond server side request forgery vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/164219	Trust: 0.6
title:	Securifi Almond Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93898	Trust: 0.6
title:	IoT_vulnerabilities	url:	https://github.com/ethanhunnt/IoT_vulnerabilities	Trust: 0.1

sources: CNVD: CNVD-2019-18747 // VULMON: CVE-2017-8328 // JVNDB: JVNDB-2017-014542 // CNNVD: CNNVD-201906-713

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8328	Trust: 3.3
db:	PACKETSTORM	id:	153227	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-014542	Trust: 0.8
db:	CNVD	id:	CNVD-2019-18747	Trust: 0.6
db:	CNNVD	id:	CNNVD-201906-713	Trust: 0.6
db:	VULHUB	id:	VHN-116531	Trust: 0.1
db:	VULMON	id:	CVE-2017-8328	Trust: 0.1

sources: CNVD: CNVD-2019-18747 // VULHUB: VHN-116531 // VULMON: CVE-2017-8328 // JVNDB: JVNDB-2017-014542 // PACKETSTORM: 153227 // CNNVD: CNNVD-201906-713 // NVD: CVE-2017-8328

REFERENCES

url:	https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/securifi_almond_plus_sec_issues.pdf	Trust: 3.2
url:	https://seclists.org/bugtraq/2019/jun/8	Trust: 2.4
url:	http://packetstormsecurity.com/files/153227/securifi-almond-2015-buffer-overflow-command-injection-xss-csrf.html	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8328	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8328	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/352.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/ethanhunnt/iot_vulnerabilities	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8330	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8333	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8335	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8329	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8337	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8331	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8336	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8334	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8332	Trust: 0.1

CREDITS

Mandar Satam

Trust: 0.1

sources: PACKETSTORM: 153227

SOURCES

db:	CNVD	id:	CNVD-2019-18747
db:	VULHUB	id:	VHN-116531
db:	VULMON	id:	CVE-2017-8328
db:	JVNDB	id:	JVNDB-2017-014542
db:	PACKETSTORM	id:	153227
db:	CNNVD	id:	CNNVD-201906-713
db:	NVD	id:	CVE-2017-8328

LAST UPDATE DATE

2024-11-23T21:52:10.435000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-18747	date:	2019-06-21T00:00:00
db:	VULHUB	id:	VHN-116531	date:	2019-06-21T00:00:00
db:	VULMON	id:	CVE-2017-8328	date:	2019-06-21T00:00:00
db:	JVNDB	id:	JVNDB-2017-014542	date:	2019-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201906-713	date:	2019-06-24T00:00:00
db:	NVD	id:	CVE-2017-8328	date:	2024-11-21T03:33:46.143

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-18747	date:	2019-06-21T00:00:00
db:	VULHUB	id:	VHN-116531	date:	2019-06-18T00:00:00
db:	VULMON	id:	CVE-2017-8328	date:	2019-06-18T00:00:00
db:	JVNDB	id:	JVNDB-2017-014542	date:	2019-06-25T00:00:00
db:	PACKETSTORM	id:	153227	date:	2019-06-07T15:06:02
db:	CNNVD	id:	CNNVD-201906-713	date:	2019-06-18T00:00:00
db:	NVD	id:	CVE-2017-8328	date:	2019-06-18T21:15:09.713