CVE-2017-9389

Name of the Vulnerable Software and Affected Versions Vera VeraEdge version 1.7.19 Veralite version 1.7.481

Description An issue was discovered in the devices, allowing an attacker to run arbitrary Lua code due to the lack of authentication protection for the Lua code installation functionality. The device's web user interface enables users to manage the device and install Lua applications. The code parameter value is passed to the LU::LuaInterface::RunCode(char const*) function, which loads the Lua engine and runs the code. This is handled by the LU::JobHandler LuaUPnP::RunLua(LU::JobHandler LuaUPnP * hidden this, LU::UPnPActionWrapper *) function in the LuaUPNP daemon.

Recommendations For Vera VeraEdge version 1.7.19, consider disabling the Lua code installation functionality until a patch is available. For Veralite version 1.7.481, restrict access to the LuaUPNP daemon to minimize the risk of exploitation. As a temporary workaround, consider disabling the LU::JobHandler LuaUPnP::RunLua function until a patch is available. Avoid using the code parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.