Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:402020
HistoryJul 03, 2014 - 12:00 a.m.

Autodesk VRED contains an unauthenticated remote code execution vulnerability

2014-07-0300:00:00
www.kb.cert.org
17

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.008

Percentile

82.1%

JSON

Overview

Autodesk VRED contains an unauthenticated remote code execution vulnerability.

Description

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’):

Autodesk VRED Professional 2014 contains an unauthenticated remote code execution vulnerability. Autodesk VRED Professional 2014 contains an integrated web server that binds to port tcp/8888 which is accessible remotely. It has been reported that this web server gives access to a Python API which provides users with a vast amount of libraries which could allow an attacker to execute operating system commands. Through this API, Python code can be executed on the target system, the output is returned in the web server response. By importing the Python “os” library, arbitrary operating system commands can be executed on the target system with the privileges of the user running VRED Professional 2014.

Impact

An unauthenticated attacker can execute operating system commands with the privileges of the user running VRED Professional 2014.

Solution

Apply an Update

Autodesk has released VRED 2014 SR1 SP8 to address this vulnerability. Users are advised to upgrade to VRED 2014 SR1 SP8 or later.

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing the web interface using stolen credentials from a blocked network location.

Vendor Information

402020

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Autodesk, Inc __ Affected

Notified: March 25, 2014 Updated: June 26, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Autodesk has released VRED 2014 SR1 SP8 to address this vulnerability. Users are advised to upgrade to VRED 2014 SR1 SP8 or later.

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.3 E:F/RL:OF/RC:C
Environmental 6.3 CDP:L/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Thomas Fischer from Daimler TSS Technical Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2014-2967
Date Public: 2014-06-24 Date First Published:

Related

nessus 2
prion 1
cve 1
cvelist 1
nvd 1
nessus
nessus
Autodesk VRED Python API Remote Code Execution
2014-07-24 00:00:00
Autodesk VRED Pro 2014 < SR1 SP8 Remote Code Execution
2014-07-24 00:00:00
prion
prion
Design/Logic Flaw
2014-07-07 11:01:00
cve
cve
CVE-2014-2967
2014-07-07 11:01:29
cvelist
cvelist
CVE-2014-2967
2014-07-07 10:00:00
nvd
nvd
CVE-2014-2967
2014-07-07 11:01:29

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.008

Percentile

82.1%

JSON
Related for VU:402020
nessus2prion1cve1cvelist1nvd1