Vulnerability Description
The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Kura | <= 2.0.2 |
Related Weaknesses (CWE)
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=514681Third Party Advisory
- https://github.com/eclipse/kura/issues/956Third Party Advisory
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=514681Third Party Advisory
- https://github.com/eclipse/kura/issues/956Third Party Advisory
FAQ
What is CVE-2017-7649?
CVE-2017-7649 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is lef...
How severe is CVE-2017-7649?
CVE-2017-7649 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-7649?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Kura.