[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bastille and Comcast CVE IDs

Sounds like the web server is part of an exploit chain, and not in and of itself a vulnerability per se, but it could of course be an exposure, I would say UPnP is a pretty standard feature though, so it sounds like this specific web server does have a problem more so than usual UPnP would expose.

On Mon, Oct 2, 2017 at 11:21 AM, Art Manion <amanion@cert.org> wrote:
On 2017-10-02 12:53, Kurt Seifried wrote:

> 1) Is this web server documented? (if not, stronger case for CVE)
Apparently not.

> 2) Is this web server needed to admin the device? E.g. my
> dsl/cablemodems both have a web server running on port 80/443, which
> show me a status page and allow login/admin if I access the page. Or
> is this web server running on a non-standard port for whatever
> purposes? (If yes, stronger case for a CVE)
Unknown, from what I've read I assume it has some intentional purpose, UPnP InternetGatewayDevice.

So do devices that have intentional web servers/services running for functional purposes need to document them?  Or just say "device supports UPnP?"

> 3) can this web server be disabled, in the sense of CAN it be
> disabled (is there a config switch for this), and/or does disabling
> it break the product? Is it needed? (If it can't be disabled then a
> stronger case for the CVE, conversely if not needed a stronger case
> as well)
Disable UPnP.

> 4) can the web server be contacted? (e.g. is it on localhost only,
> the LAN (e.g. semi trusted) interface only, or the WAN interface
> (e.g. the Internet)
Not remote/internet, some sort of internal LAN/WLAN.

So, I see "device runs web server as part of UPnP, on "internal" network(s) only."  Normal function, no specific vulnerability.  Yes, can be used by attacker (who has gained access via other means) to exfil the config.

 - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: October 02, 2017