[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bastille and Comcast CVE IDs

> Avoiding the physical access discussion for the moment (or accepting 
> your position), why are these two CVE IDs?
>
> CVE-2017-9479
> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-22.syseventd.txt
>
> CVE-2017-9480
> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-23.upnp-directory-write.txt

Here, problem number 22 (CVE-2017-9479) is unauthenticated execution of 
various commands as root. These commands can achieve a variety of 
results. From a penetration-testing perspective, the interest is in 
exfiltrating sensitive information for use in other attacks.

Problem number 23 (CVE-2017-9480) is the existence of an undocumented 
HTTP server that provides access to a /var/IGD/ directory tree 
containing zero or more files, and is reachable without authentication. 
From a penetration-testing perspective, the interest is in immediately 
continuing the process of exfiltrating information.
However, even if problem 22 were fixed, a configuration file could 
still be present in the HTTP server's directory tree if problem 22 had 
been exploited at any time before the fix occurred. That is the primary 
reason for a separate CVE. Also, it is possible that files are 
sometimes written to the HTTP server's directory tree for unrelated 
reasons, e.g., a Comcast technician copies files there while resolving 
a customer problem.

Chris

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
Art Manion
Sent: Sunday, October 1, 2017 12:08 PM
To: Kurt Seifried <kseifried@redhat.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Bastille and Comcast CVE IDs

On 2017-09-29 23:03, Kurt Seifried wrote:

> CVE-2017-9480 is one possible impact (attacker can download config
> file) of CVE-2017-9479 (syseventd running as root listening on some 
> local networks).

> If I could plug a cable into your phone and control it with no 
> further 
> passwords/etc, that'd be a CVE right?
Avoiding the physical access discussion for the moment (or accepting 
your position), why are these two CVE IDs?

CVE-2017-9479
https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-22.syseventd.txt

CVE-2017-9480
https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-23.upnp-directory-write.txt


 - Art
Page Last Updated or Reviewed: October 02, 2017