VAR-201906-0772
Vulnerability from variot - Updated: 2024-11-23 21:52An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new port forwarding rules to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a "system" API in the function and thus result in command injection on the device. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary "goahead" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_43C280in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter "ip_address" is extracted at address 0x0043C2F0. The POST parameter "ipaddress" is concatenated at address 0x0043C958 and this is passed to a "system" function at address 0x00437284. This allows an attacker to provide the payload of his/her choice and finally take control of the device. Securifi Almond , Almond+ , Almond 2015 The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SecurifiAlmond is a wireless router with a touch screen
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0772",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "almond 2015",
"scope": "eq",
"trust": 1.8,
"vendor": "securifi",
"version": "al-r096"
},
{
"model": "almond",
"scope": "eq",
"trust": 1.8,
"vendor": "securifi",
"version": "al-r096"
},
{
"model": "almond\\+",
"scope": "eq",
"trust": 1.0,
"vendor": "securifi",
"version": "al-r096"
},
{
"model": "almond+",
"scope": "eq",
"trust": 0.8,
"vendor": "securifi",
"version": "al-r096"
},
{
"model": "almond+ al-r096",
"scope": null,
"trust": 0.6,
"vendor": "securifi",
"version": null
},
{
"model": "almond-2015 al-r096",
"scope": null,
"trust": 0.6,
"vendor": "securifi",
"version": null
},
{
"model": "almond al-r096",
"scope": null,
"trust": 0.6,
"vendor": "securifi",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:securifi:almond-2015_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:securifi:almond_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:securifi:almond%2bfirmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mandar Satam",
"sources": [
{
"db": "PACKETSTORM",
"id": "153227"
}
],
"trust": 0.1
},
"cve": "CVE-2017-8331",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2017-8331",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 7.6,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "CNVD-2019-18745",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-116534",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2017-8331",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-8331",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-8331",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2019-18745",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-711",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-116534",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2017-8331",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULHUB",
"id": "VHN-116534"
},
{
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
},
{
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Securifi Almond, Almond+, and Almond 2015 devices with firmware AL-R096. The device provides a user with the capability of adding new port forwarding rules to the device. It seems that the POST parameters passed in this request to set up routes on the device can be set in such a way that would result in passing commands to a \"system\" API in the function and thus result in command injection on the device. If the firmware version AL-R096 is dissected using binwalk tool, we obtain a cpio-root archive which contains the filesystem set up on the device that contains all the binaries. The binary \"goahead\" is the one that has the vulnerable function that recieves the values sent by the POST request. If we open this binary in IDA-pro we will notice that this follows a MIPS little endian format. The function sub_43C280in IDA pro is identified to be receiving the values sent in the POST request and the value set in POST parameter \"ip_address\" is extracted at address 0x0043C2F0. The POST parameter \"ipaddress\" is concatenated at address 0x0043C958 and this is passed to a \"system\" function at address 0x00437284. This allows an attacker to provide the payload of his/her choice and finally take control of the device. Securifi Almond , Almond+ , Almond 2015 The device firmware contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. SecurifiAlmond is a wireless router with a touch screen",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-8331"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULHUB",
"id": "VHN-116534"
},
{
"db": "VULMON",
"id": "CVE-2017-8331"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-8331",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "153227",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-711",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-18745",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-116534",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2017-8331",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULHUB",
"id": "VHN-116534"
},
{
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "PACKETSTORM",
"id": "153227"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
},
{
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"id": "VAR-201906-0772",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULHUB",
"id": "VHN-116534"
}
],
"trust": 1.3976326616666666
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
}
]
},
"last_update_date": "2024-11-23T21:52:10.253000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "almond",
"trust": 0.8,
"url": "https://www.securifi.com/ja/almond"
},
{
"title": "almondplus",
"trust": 0.8,
"url": "https://www.securifi.com/ja/almondplus"
},
{
"title": "almond-2015",
"trust": 0.8,
"url": "https://www.securifi.com/ja/almond-2015"
},
{
"title": "Patch for SecurifiAlmond Command Injection Vulnerability (CNVD-2019-18745)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/164223"
},
{
"title": "Securifi Almond Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93896"
},
{
"title": "IoT_vulnerabilities",
"trust": 0.1,
"url": "https://github.com/ethanhunnt/IoT_vulnerabilities "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-116534"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/securifi_almond_plus_sec_issues.pdf"
},
{
"trust": 2.4,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/153227/securifi-almond-2015-buffer-overflow-command-injection-xss-csrf.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8331"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8331"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/77.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/ethanhunnt/iot_vulnerabilities"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8330"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8333"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8335"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8329"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8337"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8328"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8334"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-8332"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULHUB",
"id": "VHN-116534"
},
{
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "PACKETSTORM",
"id": "153227"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
},
{
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"db": "VULHUB",
"id": "VHN-116534"
},
{
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"db": "PACKETSTORM",
"id": "153227"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
},
{
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"date": "2019-06-18T00:00:00",
"db": "VULHUB",
"id": "VHN-116534"
},
{
"date": "2019-06-18T00:00:00",
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"date": "2019-06-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"date": "2019-06-07T15:06:02",
"db": "PACKETSTORM",
"id": "153227"
},
{
"date": "2019-06-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-711"
},
{
"date": "2019-06-18T20:15:11.813000",
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-18745"
},
{
"date": "2019-06-21T00:00:00",
"db": "VULHUB",
"id": "VHN-116534"
},
{
"date": "2019-06-21T00:00:00",
"db": "VULMON",
"id": "CVE-2017-8331"
},
{
"date": "2019-06-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-014536"
},
{
"date": "2019-06-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-711"
},
{
"date": "2024-11-21T03:33:46.623000",
"db": "NVD",
"id": "CVE-2017-8331"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Securifi Almond Command injection vulnerability in device firmware",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-014536"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-711"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…