CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.4%
SHDesigns’ Resident Download Manager (as well as the Ethernet Download Manager) does not authenticate firmware downloads before executing code and deploying them to devices.
CWE-494**: Download of Code Without Integrity Check**** -**CVE-2016-6567
SHDesigns’ Resident Download Manager provides firmware update capabilities for Rabbit 2000/3000 CPU boards, which according to the reporter may be used in some industrial control and embedded applications.
The Resident Download Manager does not verify that the firmware is authentic before executing code and deploying the firmware to devices. A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device.
According to SHDesigns’ website, the Resident Download Manager and other Rabbit Tools have been discontinued since June 2011.
A remote attacker with the ability to send UDP traffic to the device may be able to execute arbitrary code on the device.
The CERT/CC is currently unaware of a practical solution to this problem.
According to the reporter, affected users may disable the network update feature. It is also possible that developers of products using the Resident Download Manager may be able to write a download verification wrapper around the Resident Download Manager library, but may not be practical in all scenarios.
Affected users may also consider the following workaround:
Restrict network access
Restrict network access to the device containing the Rabbit CPU and Resident Download Manager to a secured LAN segment.
167623
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 20, 2017 Updated: February 01, 2017
Statement Date: January 31, 2017
Affected
`This vulnerability was addressed in the basic design of our Addon keypad since
its inception. The SH Designs program cannot be used to modify the firmware in
our keypad without specialized knowledge of specific procedures necessary to
initiate a firmware replacement.
We have further strengthened the procedure as of firmware version 5.5.05 to
include the necessity to also enter the administrator password to initiate a
firmware replacement.
To identify which type of protection your keypad has, verify the program
version in the keypad by looking at the printed header at power-up.
To be clear, the SH Designs program that has the vulnerability would normally
only be used by trained service personnel on a very infrequent basis. Field
updates to the firmware in the keypad are not often done. Also, specific
knowledge of the keypad operation is necessary to use the SH Designs program to
perform a firmware update. Furthermore, the knowledge and time investment
necessary to create and install a program that might be able to perform a
malicious action with an embedded processor like the one used in our keypad
creates a very unlikely scenario that it would ever be attempted. Our product
does not even use a standard operating system. The keypad is also normally used
in a secure location that would have UDP access restricted at the router to the
subnet level.`
We are not aware of further vendor information regarding this vulnerability.
Notified: April 07, 2017 Updated: April 07, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
We have reached out to the vendor regarding the SHDesigns RDM vulnerability.
Additionally, the cookie authentication bypass vulnerability reported in the tmcnet.com blog was assigned CVE IDs as follows:
`CVE-2007-6759 = Dataprobe iBootBar (with 2007-09-20 and possibly later
released firmware) allows remote attackers to bypass authentication,
and conduct power-cycle attacks on connected devices, via a DCRABBIT
cookie.
CVE-2007-6760 = Dataprobe iBootBar (with 2007-09-20 and possibly later
beta firmware) allows remote attackers to bypass authentication, and
conduct power-cycle attacks on connected devices, via a DCCOOKIE
cookie.`
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23167623 Feedback>).
Notified: January 13, 2017 Updated: January 26, 2017
Statement Date: January 13, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 05, 2016 Updated: December 05, 2016
Unknown
We have not received a statement from the vendor.
Notified: January 20, 2017 Updated: January 20, 2017
Unknown
We have not received a statement from the vendor.
Notified: January 20, 2017 Updated: January 20, 2017
Unknown
We have not received a statement from the vendor.
Notified: January 20, 2017 Updated: January 20, 2017
Unknown
We have not received a statement from the vendor.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 8 | E:POC/RL:U/RC:UR |
Environmental | 6.0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Nolan Ray of NCC Group for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-6567, CVE-2007-6759, CVE-2007-6760 |
---|---|
Date Public: | 2017-01-31 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.4%