PT-2020-7513 · Micasaverde · Veralite

Daniel Crowley

Published

2020-01-28

Updated

2020-02-04

CVE-2013-4863

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: MiCasaVerde VeraLite version 1.5.408

Description: The issue allows remote attackers to execute arbitrary Lua code via a RunLua action in a request to "upnp/control/hag" on port 49451. Additionally, remote authenticated users can execute arbitrary Lua code via a RunLua action in a request to "port 49451/upnp/control/hag".

Recommendations: For version 1.5.408, consider disabling the RunLua action in the HomeAutomationGateway service as a temporary workaround until a patch is available. Restrict access to the "upnp/control/hag" endpoint on port 49451 to minimize the risk of exploitation. Avoid using the RunLua action in requests to "port 49451/upnp/control/hag" until the issue is resolved.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2013-4863

Affected Products

Veralite

PT-2020-7513 · Micasaverde · Veralite

CVE-2013-4863

Weakness Enumeration

Related Identifiers

Affected Products

References · 7