CVE-2017-9391

Name of the Vulnerable Software and Affected Versions Vera VeraEdge version 1.7.19 Vera Veralite version 1.7.481

Description An issue was discovered in the UPnP services provided by the devices, which are available on port 3480 and can also be accessed via port 80 using the url "/port 3480". The "request image" service action allows a normal user to retrieve an image from a camera controlled by the controller. However, the "URL" parameter passed in the query string is not sanitized and is stored on the stack, allowing an attacker to overflow the buffer. The function LU::Generic IP Camera Manager::REQ Image is activated when the lu request image is passed as the "id" parameter in the query string. This function then calls LU::Generic IP Camera Manager::GetUrlFromArguments and passes a pointer to the function where it will be allowed to store the value from the URL parameter. The pointer is passed as the second parameter $a2 to the function LU::Generic IP Camera Manager::GetUrlFromArguments. However, neither the callee nor the caller performs a simple length check, and as a result, an attacker who is able to send more than 1336 characters can easily overflow the values stored on the stack, including the $RA value, and thus execute code on the device.

Recommendations For Vera VeraEdge version 1.7.19, consider disabling the LU::Generic IP Camera Manager::REQ Image function until a patch is available. For Vera Veralite version 1.7.481, restrict access to the /port 3480 url to minimize the risk of exploitation. Avoid using the URL parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.