[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bastille and Comcast CVE IDs

> I don't see #23 as anything different than "device runs a web server."

True. But another side is that "device runs a web server" could and 
should be handled differently based on whether it's standard system 
with an OS vs. a closed appliance. In other words, a "Linux system 
running Apache" probably wouldn't ever get a CVE as it's more like a 
config issue, but in this case it would since it's an undocumented web 
server on a modem. At the very least it's an exposure I think.

Even if we were to decide against assigning these in the future, I'd 
say it's still important to alert folks to these kinds of issues. Does 
anyone disagree?

Chris

-----Original Message-----
From: Art Manion [mailto:amanion@cert.org] 
Sent: Monday, October 2, 2017 11:27 AM
To: Coffin, Chris <ccoffin@mitre.org>; Kurt Seifried 
<kseifried@redhat.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Bastille and Comcast CVE IDs

On 2017-10-02 11:27, Coffin, Chris wrote:

>> CVE-2017-9479
>> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-22.syseventd.txt
>>
>> CVE-2017-9480
>> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-23.upnp-directory-write.txt
> 
> Here, problem number 22 (CVE-2017-9479) is unauthenticated execution 
> of various commands as root. These commands can achieve a variety of 
> results. From a penetration-testing perspective, the interest is in 
> exfiltrating sensitive information for use in other attacks.
> 
> Problem number 23 (CVE-2017-9480) is the existence of an undocumented 
> HTTP server that provides access to a /var/IGD/ directory tree 
> containing zero or more files, and is reachable without 
> authentication. From a penetration-testing perspective, the interest 
> is in immediately continuing the process of exfiltrating information.
> However, even if problem 22 were fixed, a configuration file could 
> still be present in the HTTP server's directory tree if problem 22 
> had been exploited at any time before the fix occurred. That is the 
> primary reason for a separate CVE. Also, it is possible that files 
> are sometimes written to the HTTP server's directory tree for 
> unrelated reasons, e.g., a Comcast technician copies files there 
> while resolving a customer problem.

"Undocumented" can be an aspect of a vulnerability.  I'm not going to 
push for reject or disputed, but:

But what would be different about a Linux system running Apache and an 
attacker (possibly using other vulnerabilities) putting files in the 
Apache root to then download them?

Unless there is some other legitimate process that puts configuration 
files in /var/IGD, I don't see #23 as anything different than "device 
runs a web server."

 - Art
Page Last Updated or Reviewed: October 02, 2017