Wednesday, 28 June 2017

On 00:10 by admin in    No comments
A vulnerability, which was classified as critical, has been found in OpenDaylight (the affected version is unknown). This issue affects an unknown function. The manipulation with an unknown input leads to a weak authentication vulnerability. Using CWE to declare the problem leads to CWE-287. Impacted is confidentiality, integrity, and availability.

The weakness was published 06/27/2017 by Flavio Fernandes with Red Hat (oss-sec). The advisory is shared for download at openwall.com. The identification of this vulnerability is CVE-2015-1778 since 02/17/2015. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/28/2017).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 73255).

CVSSv3

VulDB Base Score: 6.3
VulDB Temp Score: 6.3
VulDB Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
VulDB Reliability: Low

CVSSv2

VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete
VulDB Base Score: 4.4 (CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P)
VulDB Temp Score: 4.4 (CVSS2#E:ND/RL:ND/RC:ND)
VulDB Reliability: Medium


CPE
  • cpe:/a:opendaylight:opendaylight

Exploiting

Class: Weak authentication (CWE-287)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k

Countermeasures


Recommended: no mitigation known
0-Day Time: 0 days since found

Timeline

02/17/2015   CVE assigned
03/20/2015  +31 days SecurityFocus entry assigned
06/27/2017  +830 days Advisory disclosed
06/28/2017  +1 days VulDB entry created
06/28/2017  +0 days VulDB last update

Sources

Advisory: openwall.com
Researcher: Flavio Fernandes
Organization: Red Hat
Confirmation: cloudrouter.org

CVE: CVE-2015-1778 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a comment