MiCasaVerde VeraLite UPnP RCE

Critical Nessus Plugin ID 93911

Synopsis

The remote device is affected by a remote code execution vulnerability.

Description

The remote MiCasaVerde VeraLite Smart Home Controller is affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this, via the UPnP RunLua action, to execute arbitrary shell commands as root.

Note that MiCasaVerde VeraLite is reportedly affected by additional vulnerabilities; however, Nessus has not tested for these.

Solution

The vendor has stated that they will not patch the vulnerability.

See Also

https://getvera.com/controllers/veralite/

https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt

Plugin Details

Severity: Critical

ID: 93911

File Name: micasaverde_veralite_runlua.nasl

Version: 1.6

Type: remote

Family: Misc.

Published: 2016/10/07

Modified: 2018/11/15

Dependencies: 35712

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 2013/08/01

Reference Information

CVE: CVE-2013-4863

BID: 61591

EDB-ID: 27286