CVE-2017-9384

Name of the Vulnerable Software and Affected Versions Vera VeraEdge version 1.7.19 Vera Veralite version 1.7.481

Description An issue was discovered in the device firmware file, specifically in the relay.sh script, which allows the device to create relay ports and connect to Vera servers. The script retrieves a parameter called remote host, which is not sanitized correctly and is passed to another script using eval. This allows an attacker to escape from the executed command and execute any commands of their choice. The device provides a web user interface that allows a user to manage the device, and this functionality is primarily used for communication between the device and Vera servers.

Recommendations For Vera VeraEdge version 1.7.19, consider disabling the relay.sh script until a patch is available to prevent exploitation. For Vera Veralite version 1.7.481, restrict access to the relay.sh script to minimize the risk of exploitation. Avoid using the remote host parameter in the affected script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.