CVE-2017-12787
published 2017-08-22CVE-2017-12787: A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch…
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.60%
97.6th percentile
A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because incoming packet data can contain embedded OS commands, and can also trigger a stack-based buffer overflow.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ccfile | cc_file_transfer | — | — |
| noviflow | noviware | <= 400.2.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OS command injection attempts embedded in packet data sent to the novi_process_manager_daemon network interface; look for shell metacharacters (e.g., semicolons, null bytes) in raw packet payloads targeting the service port. ↗
- →Detect stack-based buffer overflow attempts against novi_process_manager_daemon: look for oversized payloads (~408 repeated 8-byte chunks) with a specific 16-byte header structure (little-endian IIQ: 0, payload_length+16, 0) sent to the service. ↗
- →Monitor for unexpected exposure of the novi_process_manager_daemon network interface following ACL modification operations on NoviSwitch devices, as the bug triggers during ACL application. ↗
- →Alert on unauthenticated remote connections to the novi_process_manager_daemon service port, especially from external/untrusted network segments, as the service should not be externally reachable. ↗
- ·The vulnerability is only exposed transiently when an operator modifies ACLs; the daemon's network interface is not permanently exposed under normal conditions, making detection window-dependent. ↗
- ·A watchdog process will automatically restart novi_process_manager_daemon after a crash (e.g., from a failed exploit attempt), which may mask crash-based detection signals. ↗
- ·Affected versions are NoviWare through NW400.2.6; NoviWare400 3.0 and later are patched. Detections should be scoped to devices running vulnerable firmware versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-279h-w9gh-fpvc: In Youngzsoft CCFile (aka CC File Transfer) 3
ghsa_unreviewed·2022-05-17·CVSS 9.8
CVE-2017-12784 [CRITICAL] CWE-20 GHSA-279h-w9gh-fpvc: In Youngzsoft CCFile (aka CC File Transfer) 3
In Youngzsoft CCFile (aka CC File Transfer) 3.6, by sending a crafted HTTP request, it is possible for a malicious user to remotely crash the affected software. No authentication is required. An example payload is a malformed request header with many '|' characters. NOTE: some sources use this ID for a NoviWare issue, but the correct ID for that issue is CVE-2017-12787.
GHSA
GHSA-5gx4-r4vg-49w6: A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400
ghsa_unreviewed·2022-05-17
CVE-2017-12787 [CRITICAL] CWE-119 GHSA-5gx4-r4vg-49w6: A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400
A network interface of the novi_process_manager_daemon service, included in the NoviWare software distribution through NW400.2.6 and deployed on NoviSwitch devices, can be inadvertently exposed if an operator attempts to modify ACLs, because of a bug when ACL modifications are applied. This could be leveraged by remote, unauthenticated attackers to gain resultant privileged (root) code execution on the switch, because incoming packet data can contain embedded OS commands, and can also trigger a stack-based buffer overflow.
No detection rules found.
No writeups or analysis indexed.
2017-08-22
Published