CVE-2017-9388

Name of the Vulnerable Software and Affected Versions Vera VeraEdge version 1.7.19 Vera Veralite version 1.7.481

Description An issue was discovered in the device firmware file, specifically in the proxy.sh script, which allows the device to proxy requests to and from another website. The url parameter retrieved by this script is not sanitized correctly and is passed to eval to execute curl functionality, allowing an attacker to escape from the executed command and execute any commands of their choice. This is primarily used for communication between the device and the Vera website when the user is logged in to https://home.getvera.com.

Recommendations For Vera VeraEdge version 1.7.19, consider disabling the proxy.sh script until a patch is available. For Vera Veralite version 1.7.481, consider disabling the proxy.sh script until a patch is available. As a temporary workaround, avoid using the url parameter in the affected script until the issue is resolved.