Sign-up

ID

VAR-201906-0778


CVE

CVE-2017-8337


TITLE

plural Securifi Almond Information Disclosure Vulnerability in Device Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2017-014541

DESCRIPTION

An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of executing various actions on the web management interface. It seems that the device does not implement any Origin header check which allows an attacker who can trick a user to navigate to an attacker's webpage to exploit this issue and brute force the password for the web management interface. It also allows an attacker to then execute any other actions which include management if rules, sensors attached to the devices using the websocket requests. Securifi Almond , Almond+ , Almond 2015 An information disclosure vulnerability exists in the device firmware.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Securifi Almond is a wireless router with a touch screen. The vulnerability stems from the fact that the program does not check the Origin field in the request header. An attacker could exploit this vulnerability to brute force passwords and perform arbitrary operations

Trust: 1.8

sources: NVD: CVE-2017-8337 // JVNDB: JVNDB-2017-014541 // VULHUB: VHN-116540 // VULMON: CVE-2017-8337

AFFECTED PRODUCTS

vendor:securifimodel:almond 2015scope:eqversion:al-r096

Trust: 1.8

vendor:securifimodel:almondscope:eqversion:al-r096

Trust: 1.8

vendor:securifimodel:almond\+scope:eqversion:al-r096

Trust: 1.0

vendor:securifimodel:almond+scope:eqversion:al-r096

Trust: 0.8

sources: JVNDB: JVNDB-2017-014541 // NVD: CVE-2017-8337

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-8337
value: HIGH

Trust: 1.0

NVD: CVE-2017-8337
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201705-019
value: HIGH

Trust: 0.6

VULHUB: VHN-116540
value: MEDIUM

Trust: 0.1

VULMON: CVE-2017-8337
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-8337
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-116540
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-8337
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-116540 // VULMON: CVE-2017-8337 // JVNDB: JVNDB-2017-014541 // CNNVD: CNNVD-201705-019 // NVD: CVE-2017-8337

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-116540 // JVNDB: JVNDB-2017-014541 // NVD: CVE-2017-8337

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-019

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201705-019

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014541

PATCH
title:almondplusurl:https://www.securifi.com/ja/almondplus
Trust: 0.8
title:almond-2015url:https://www.securifi.com/ja/almond-2015
Trust: 0.8
title:almondurl:https://www.securifi.com/ja/almond
Trust: 0.8
title:Securifi Almond Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93909
Trust: 0.6
title:IoT_vulnerabilitiesurl:https://github.com/ethanhunnt/IoT_vulnerabilities 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2017-8337 // 
            
            
            
            JVNDB: JVNDB-2017-014541 // 
            
            
            
            CNNVD: CNNVD-201705-019

EXTERNAL IDS
db:NVDid:CVE-2017-8337
Trust: 2.7
db:PACKETSTORMid:153227
Trust: 1.9
db:JVNDBid:JVNDB-2017-014541
Trust: 0.8
db:CNNVDid:CNNVD-201705-019
Trust: 0.7
db:VULHUBid:VHN-116540
Trust: 0.1
db:VULMONid:CVE-2017-8337
Trust: 0.1
sources:
            
            
            VULHUB: VHN-116540 // 
            
            
            
            VULMON: CVE-2017-8337 // 
            
            
            
            JVNDB: JVNDB-2017-014541 // 
            
            
            
            PACKETSTORM: 153227 // 
            
            
            
            CNNVD: CNNVD-201705-019 // 
            
            
            
            NVD: CVE-2017-8337

REFERENCES
url:https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/securifi_almond_plus_sec_issues.pdf
Trust: 2.6
url:https://seclists.org/bugtraq/2019/jun/8
Trust: 1.8
url:http://packetstormsecurity.com/files/153227/securifi-almond-2015-buffer-overflow-command-injection-xss-csrf.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-8337
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8337
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/200.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/ethanhunnt/iot_vulnerabilities
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8330
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8333
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8335
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8329
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8328
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8331
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8336
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8334
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-8332
Trust: 0.1
sources:
            
            
            VULHUB: VHN-116540 // 
            
            
            
            VULMON: CVE-2017-8337 // 
            
            
            
            JVNDB: JVNDB-2017-014541 // 
            
            
            
            PACKETSTORM: 153227 // 
            
            
            
            CNNVD: CNNVD-201705-019 // 
            
            
            
            NVD: CVE-2017-8337

CREDITS
Mandar Satam
Trust: 0.1
sources:
            
            
            PACKETSTORM: 153227

SOURCES
db:VULHUBid:VHN-116540
db:VULMONid:CVE-2017-8337
db:JVNDBid:JVNDB-2017-014541
db:PACKETSTORMid:153227
db:CNNVDid:CNNVD-201705-019
db:NVDid:CVE-2017-8337

LAST UPDATE DATE
2024-11-23T21:52:10.401000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-116540date:2019-06-21T00:00:00
db:VULMONid:CVE-2017-8337date:2019-06-21T00:00:00
db:JVNDBid:JVNDB-2017-014541date:2019-06-25T00:00:00
db:CNNVDid:CNNVD-201705-019date:2019-06-24T00:00:00
db:NVDid:CVE-2017-8337date:2024-11-21T03:33:47.600

SOURCES RELEASE DATE
db:VULHUBid:VHN-116540date:2019-06-18T00:00:00
db:VULMONid:CVE-2017-8337date:2019-06-18T00:00:00
db:JVNDBid:JVNDB-2017-014541date:2019-06-25T00:00:00
db:PACKETSTORMid:153227date:2019-06-07T15:06:02
db:CNNVDid:CNNVD-201705-019date:2017-04-29T00:00:00
db:NVDid:CVE-2017-8337date:2019-06-18T21:15:09.963