Monday, 11 September 2017

On 16:10 by Vismit Rakhecha in    No comments
A vulnerability, which was classified as problematic, was found in Samsung NVR (the affected version is unknown). This affects an unknown function of the file cgi-bin/main-cgi. The manipulation of the argument szUserPasswd as part of a JSON Data leads to a information disclosure vulnerability (Password). CWE is classifying the issue as CWE-200. This is going to have an impact on confidentiality.

The weakness was disclosed 09/11/2017. This vulnerability is uniquely identified as CVE-2017-14262 since 09/10/2017. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment 
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

CVSSv3

VulDB Base Score≈3.5
VulDB Temp Score≈3.5
VulDB VectorCVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
VulDB Reliability: Low

CVSSv2

VulDB Base Score≈1.5 (CVSS2#AV:A/AC:M/Au:S/C:P/I:N/A:N)
VulDB Temp Score≈1.5 (CVSS2#E:ND/RL:ND/RC:ND)
VulDB Reliability: Medium

CPE

  • cpe:/a:samsung:nvr

Exploiting

Class: Information disclosure / Password (CWE-200)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady
Current Price Estimation

0-Day$0-$5k$5k-$25k$25k-$100k$100k-$500k
Today$0-$5k$5k-$25k$25k-$100k$100k-$500k


Countermeasures

Recommended: no mitigation known
0-Day Time: 0 days since found

Timeline

09/10/2017   CVE assigned
09/11/2017  +1 days Advisory disclosed
09/11/2017  +0 days VulDB entry created
09/11/2017  +0 days VulDB last update

Sources


CVE: CVE-2017-14262 (mitre.org) (nvd.nist.org) (cvedetails.com)

0 comments:

Post a Comment