[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastille and Comcast CVE IDs

To: Kurt Seifried <kurt@seifried.org>, "Coffin, Chris" <ccoffin@mitre.org>
Subject: Re: Bastille and Comcast CVE IDs
From: Art Manion <amanion@cert.org>
Date: Mon, 2 Oct 2017 13:21:28 -0400
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Mon Oct 2 13:28:37 2017
Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu v92HLVtf032298
In-reply-to: <CABqVa38h64Y_dn0W6mSWNBZee_f3y00hggp1d8Yp4yYprjJhwQ@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <99f4aac1-f1d7-1a4e-a821-cc40b1ba4687@cert.org> <CANO=Ty3x3Dd-3_D5-_TU=ccoLsSXxZFgQKqXYQvW+Gq-dY3Fdw@mail.gmail.com> <1a2221c2-d1f8-a6fe-4376-c8c8ea0622e8@cert.org> <MWHPR09MB1456330556ABCDF14DC471D8A17D0@MWHPR09MB1456.namprd09.prod.outlook.com> <e4649d31-a0fc-6917-2b06-90b06111efdd@cert.org> <MWHPR09MB14567AC9E1C3ACBCF31CF36EA17D0@MWHPR09MB1456.namprd09.prod.outlook.com> <CABqVa38h64Y_dn0W6mSWNBZee_f3y00hggp1d8Yp4yYprjJhwQ@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 2017-10-02 12:53, Kurt Seifried wrote:

> 1) Is this web server documented? (if not, stronger case for CVE)
Apparently not.

> 2) Is this web server needed to admin the device? E.g. my
> dsl/cablemodems both have a web server running on port 80/443, which
> show me a status page and allow login/admin if I access the page. Or
> is this web server running on a non-standard port for whatever
> purposes? (If yes, stronger case for a CVE)
Unknown, from what I've read I assume it has some intentional purpose, 
UPnP InternetGatewayDevice.

So do devices that have intentional web servers/services running for 
functional purposes need to document them?  Or just say "device 
supports UPnP?"

> 3) can this web server be disabled, in the sense of CAN it be
> disabled (is there a config switch for this), and/or does disabling
> it break the product? Is it needed? (If it can't be disabled then a
> stronger case for the CVE, conversely if not needed a stronger case
> as well)
Disable UPnP.

> 4) can the web server be contacted? (e.g. is it on localhost only,
> the LAN (e.g. semi trusted) interface only, or the WAN interface
> (e.g. the Internet)
Not remote/internet, some sort of internal LAN/WLAN.

So, I see "device runs web server as part of UPnP, on "internal" 
network(s) only."  Normal function, no specific vulnerability.  Yes, 
can be used by attacker (who has gained access via other means) to 
exfil the config.

 - Art

Follow-Ups:
- Re: Bastille and Comcast CVE IDs
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- Re: Bastille and Comcast CVE IDs
  - From: Art Manion <amanion@cert.org>
- RE: Bastille and Comcast CVE IDs
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: Bastille and Comcast CVE IDs
  - From: Art Manion <amanion@cert.org>
- RE: Bastille and Comcast CVE IDs
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: Bastille and Comcast CVE IDs
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: Re: Bastille and Comcast CVE IDs
Next by Date: Re: Bastille and Comcast CVE IDs
Previous by thread: Re: Bastille and Comcast CVE IDs
Next by thread: Re: Bastille and Comcast CVE IDs
Index(es):
- Date
- Thread