cbcvebase.
CVE-2017-12787
published 2017-08-22

CVE-2017-12787: A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch…

PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.60%
97.6th percentile
A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because incoming packet data can contain embedded OS commands, and can also trigger a stack-based buffer overflow.

Affected

2 ranges
VendorProductVersion rangeFixed in
ccfilecc_file_transfer
noviflownoviware<= 400.2.6

Detection & IOCsextracted from sources · hover to see the quote

  • Detect OS command injection attempts embedded in packet data sent to the novi_process_manager_daemon network interface; look for shell metacharacters (e.g., semicolons, null bytes) in raw packet payloads targeting the service port.
  • Detect stack-based buffer overflow attempts against novi_process_manager_daemon: look for oversized payloads (~408 repeated 8-byte chunks) with a specific 16-byte header structure (little-endian IIQ: 0, payload_length+16, 0) sent to the service.
  • Monitor for unexpected exposure of the novi_process_manager_daemon network interface following ACL modification operations on NoviSwitch devices, as the bug triggers during ACL application.
  • Alert on unauthenticated remote connections to the novi_process_manager_daemon service port, especially from external/untrusted network segments, as the service should not be externally reachable.
  • ·The vulnerability is only exposed transiently when an operator modifies ACLs; the daemon's network interface is not permanently exposed under normal conditions, making detection window-dependent.
  • ·A watchdog process will automatically restart novi_process_manager_daemon after a crash (e.g., from a failed exploit attempt), which may mask crash-based detection signals.
  • ·Affected versions are NoviWare through NW400.2.6; NoviWare400 3.0 and later are patched. Detections should be scoped to devices running vulnerable firmware versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.