[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastille and Comcast CVE IDs

To: "Coffin, Chris" <ccoffin@mitre.org>, Kurt Seifried <kseifried@redhat.com>
Subject: Re: Bastille and Comcast CVE IDs
From: Art Manion <amanion@cert.org>
Date: Mon, 2 Oct 2017 12:26:45 -0400
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Mon Oct 2 13:28:39 2017
Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu v92GQorN027867
In-reply-to: <MWHPR09MB1456330556ABCDF14DC471D8A17D0@MWHPR09MB1456.namprd09.prod.outlook.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <99f4aac1-f1d7-1a4e-a821-cc40b1ba4687@cert.org> <CANO=Ty3x3Dd-3_D5-_TU=ccoLsSXxZFgQKqXYQvW+Gq-dY3Fdw@mail.gmail.com> <1a2221c2-d1f8-a6fe-4376-c8c8ea0622e8@cert.org> <MWHPR09MB1456330556ABCDF14DC471D8A17D0@MWHPR09MB1456.namprd09.prod.outlook.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 2017-10-02 11:27, Coffin, Chris wrote:

>> CVE-2017-9479
>> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-22.syseventd.txt
>>
>> CVE-2017-9480
>> https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-23.upnp-directory-write.txt
> 
> Here, problem number 22 (CVE-2017-9479) is unauthenticated execution 
> of various commands as root. These commands can achieve a variety of 
> results. From a penetration-testing perspective, the interest is in 
> exfiltrating sensitive information for use in other attacks.
> 
> Problem number 23 (CVE-2017-9480) is the existence of an undocumented 
> HTTP server that provides access to a /var/IGD/ directory tree 
> containing zero or more files, and is reachable without 
> authentication. From a penetration-testing perspective, the interest 
> is in immediately continuing the process of exfiltrating information.
> However, even if problem 22 were fixed, a configuration file could 
> still be present in the HTTP server's directory tree if problem 22 
> had been exploited at any time before the fix occurred. That is the 
> primary reason for a separate CVE. Also, it is possible that files 
> are sometimes written to the HTTP server's directory tree for 
> unrelated reasons, e.g., a Comcast technician copies files there 
> while resolving a customer problem.

"Undocumented" can be an aspect of a vulnerability.  I'm not going to 
push for reject or disputed, but:

But what would be different about a Linux system running Apache and an 
attacker (possibly using other vulnerabilities) putting files in the 
Apache root to then download them?

Unless there is some other legitimate process that puts configuration 
files in /var/IGD, I don't see #23 as anything different than "device 
runs a web server."

 - Art

Follow-Ups:
- RE: Bastille and Comcast CVE IDs
  - From: "Coffin, Chris" <ccoffin@mitre.org>

References:
- Re: Bastille and Comcast CVE IDs
  - From: Art Manion <amanion@cert.org>
- RE: Bastille and Comcast CVE IDs
  - From: "Coffin, Chris" <ccoffin@mitre.org>

Prev by Date: RE: Bastille and Comcast CVE IDs
Next by Date: Re: Bastille and Comcast CVE IDs
Previous by thread: RE: Bastille and Comcast CVE IDs
Next by thread: RE: Bastille and Comcast CVE IDs
Index(es):
- Date
- Thread