MiCasaVerde VeraLite UPnP RCE

Critical Nessus Plugin ID 93911

Synopsis

The remote device is affected by a remote code execution vulnerability.

Description

The remote MiCasaVerde VeraLite Smart Home Controller is affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this, via the UPnP RunLua action, to execute arbitrary shell commands as root.

Note that MiCasaVerde VeraLite is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these.

Solution

The vendor has stated that they will not patch the vulnerability.

See Also

http://getvera.com/controllers/veralite/

https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt

Plugin Details

Severity: Critical

ID: 93911

File Name: micasaverde_veralite_runlua.nasl

Version: $Revision: 1.4 $

Type: remote

Family: Misc.

Published: 2016/10/07

Modified: 2016/11/28

Dependencies: 35712

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 9

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:U/RC:ND

CVSSv3

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:U/RC:X

Vulnerability Information

Required KB Items: upnp/www

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2013/08/01

Reference Information

CVE: CVE-2013-4863

BID: 61591

EDB-ID: 27286