CVE-2017-9392

Name of the Vulnerable Software and Affected Versions Vera VeraEdge version 1.7.19 Vera Veralite version 1.7.481

Description An issue was discovered in the UPnP services provided by the device, which can be accessed on port 3480 or via port 80 using the url "/port 3480". The "request image" service action allows a normal user to retrieve an image from a camera controlled by the controller. The res (resolution) parameter passed in the query string is not sanitized and is stored on the stack, allowing an attacker to overflow the buffer. The function LU::Generic IP Camera Manager::REQ Image is activated when the lu request image is passed as the id parameter in the query string. This function then calls LU::Generic IP Camera Manager::GetUrlFromArguments, which retrieves all parameters passed in the query string, including res, and uses the value to fill up a buffer using the sprintf function. However, the function lacks a simple length check, allowing an attacker to overflow the values stored on the stack, including the $RA value, and thus execute code on the device.

Recommendations For Vera VeraEdge version 1.7.19, consider disabling the LU::Generic IP Camera Manager::REQ Image function until a patch is available. For Vera Veralite version 1.7.481, restrict access to the "/port 3480" url to minimize the risk of exploitation. Avoid using the res parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.