Lucene search

MitreCVE-2017-9828

HistoryJun 23, 2017 - 10:29 p.m.

CVE-2017-9828

2017-06-2322:29:00

CWE-78

mitre

web.nvd.nist.gov

cve

2017

9828

vivotek

network cameras

cgi

admin

shell command

injection

vulnerability

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.015

Percentile

87.3%

JSON

‘/cgi-bin/admin/testserver.cgi’ of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA; most others have similar firmware that may be affected. An attack uses shell metacharacters in the senderemail parameter.

Affected configurations

Nvd

Node

vivoteknetwork_camera_ib8369_firmwareMatchib8369-vvtk-0102a

AND

vivoteknetwork_camera_ib8369Match-

Node

vivoteknetwork_camera_fd8164_firmwareMatchfd8164-_vvtk-0200b

AND

vivoteknetwork_camera_fd8164Match-

Node

vivoteknetwork_camera_fd816ba_firmwareMatchfd816ba-vvtk-010101.

AND

vivoteknetwork_camera_fd816baMatch-

VendorProductVersionCPE
vivoteknetwork_camera_ib8369_firmwareib8369-vvtk-0102acpe:2.3:o:vivotek:network_camera_ib8369_firmware:ib8369-vvtk-0102a:*:*:*:*:*:*:*
vivoteknetwork_camera_ib8369-cpe:2.3:h:vivotek:network_camera_ib8369:-:*:*:*:*:*:*:*
vivoteknetwork_camera_fd8164_firmwarefd8164-_vvtk-0200bcpe:2.3:o:vivotek:network_camera_fd8164_firmware:fd8164-_vvtk-0200b:*:*:*:*:*:*:*
vivoteknetwork_camera_fd8164-cpe:2.3:h:vivotek:network_camera_fd8164:-:*:*:*:*:*:*:*
vivoteknetwork_camera_fd816ba_firmwarefd816ba-vvtk-010101.cpe:2.3:o:vivotek:network_camera_fd816ba_firmware:fd816ba-vvtk-010101.:*:*:*:*:*:*:*
vivoteknetwork_camera_fd816ba-cpe:2.3:h:vivotek:network_camera_fd816ba:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vivotek	network_camera_ib8369_firmware	ib8369-vvtk-0102a	cpe:2.3:o:vivotek:network_camera_ib8369_firmware:ib8369-vvtk-0102a:::::::*
vivotek	network_camera_ib8369	-	cpe:2.3:h:vivotek:network_camera_ib8369:-:::::::*
vivotek	network_camera_fd8164_firmware	fd8164-_vvtk-0200b	cpe:2.3:o:vivotek:network_camera_fd8164_firmware:fd8164-_vvtk-0200b:::::::*
vivotek	network_camera_fd8164	-	cpe:2.3:h:vivotek:network_camera_fd8164:-:::::::*
vivotek	network_camera_fd816ba_firmware	fd816ba-vvtk-010101.	cpe:2.3:o:vivotek:network_camera_fd816ba_firmware:fd816ba-vvtk-010101.:::::::*
vivotek	network_camera_fd816ba	-	cpe:2.3:h:vivotek:network_camera_fd816ba:-:::::::*

References

blog.cal1.cn/post/An%20easy%20way%20to%20pwn%20most%20of%20the%20vivotek%20network%20cameras

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.015

Percentile

87.3%

JSON

Related for CVE-2017-9828