CVE-2019-12780
published 2019-06-10CVE-2019-12780: The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST…
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.99%
99.4th percentile
The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.
Detection & IOCsextracted from sources · hover to see the quote
hashd6ebabf44849951d754ee2de15a24b92
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; startswith; endswith; http.request_header; header_lowercase; content:"soapaction|3a 20|"; startswith; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:6;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; startswith; endswith; http.request_header; header_lowercase; content:"soapaction|3a 20|"; startswith; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:6;)
bytes
|3c|SmartDevURL|3e 60|
bytes
urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo
- →Exploit targets HTTP POST to /upnp/control/basicevent1 with SOAPAction header containing 'SetSmartDevInfo' and a backtick-prefixed command injected in the <SmartDevURL> body element — no authentication required. ↗
- →Other Wemo devices (non-Crock-Pot) are known to be affected on RPORT 49153 — monitor that port for the same POST/SOAPAction pattern. ↗
- →The byte sequence |3c|SmartDevURL|3e 60| in the HTTP request body represents '<SmartDevURL>` (backtick), indicating shell command injection — flag any HTTP body containing this pattern.
- →The exploit has been associated with the Echobot malware campaign (Mirai variant) — correlate detections with known Mirai/Echobot IoT botnet infrastructure.
- ·The Snort/Suricata rules (sid:2027486, sid:2027487) cover both inbound and outbound directions — deploy both on perimeter sensors to catch exploitation attempts from external actors AND lateral movement from already-compromised internal IoT devices.
- ·Default affected port for the Wemo Crock-Pot differs from other Wemo devices (49153); ensure detection rules cover both ports to avoid blind spots. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3wv6-pjqx-6927: The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action
ghsa_unreviewed·2022-05-24
CVE-2019-12780 [CRITICAL] CWE-78 GHSA-3wv6-pjqx-6927: The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action
The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.
VulnCheck
belkin crock-pot_smart_slow_cooker_with_wemo_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-12780 [CRITICAL] belkin crock-pot_smart_slow_cooker_with_wemo_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
belkin crock-pot_smart_slow_cooker_with_wemo_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.
Affected: belkin crock-pot_smart_slow_cooker_with_wemo_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/202
Suricata
ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)
suricata·2019-06-18·CVSS 9.8
CVE-2019-12780 [CRITICAL] ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)
ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; startswith; endswith; http.request_header; header_lowercase; content:"soapaction|3a 20|"; startswith; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; si
Suricata
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)
suricata·2019-06-18·CVSS 7.5
CVE-2016-6255 [HIGH] ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; startswith; endswith; fast_pattern; http.request_header; header_lowercase; content:"soapaction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:7; m
Suricata
ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)
suricata·2019-06-18·CVSS 9.8
CVE-2019-12780 [CRITICAL] ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)
ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; startswith; endswith; http.request_header; header_lowercase; content:"soapaction|3a 20|"; startswith; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempt
Suricata
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)
suricata·2019-06-18·CVSS 7.5
CVE-2016-6255 [HIGH] ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; startswith; endswith; fast_pattern; http.request_header; header_lowercase; content:"soapaction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:7;
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Bugzilla
CVE-2019-3882 kernel: denial of service vector through vfio DMA mappings
bugzilla·2019-03-15·CVSS 5.5
CVE-2019-3882 [MEDIUM] CVE-2019-3882 kernel: denial of service vector through vfio DMA mappings
CVE-2019-3882 kernel: denial of service vector through vfio DMA mappings
A flaw was found in the Linux kernel vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS).
References:
https://seclists.org/oss-sec/2019/q2/6
A suggested fix:
https://lore.kernel.org/lkml/[email protected]/T/#u
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1695571]
---
kernel-5.0.6-100.fc28, kernel-headers-5.0.6-100.fc28, kernel-tools-5.0.6-100.fc28 has been pushed to the Fedora 28 stable reposit
2019-06-10
Published
Exploited in the wild