CVE-2017-15043

Published: May 4, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.5 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9 could allow an authenticated remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. This vulnerability is due to insufficient input validation on user-controlled input in an HTTP request to the targeted device. An attacker in possession of router login credentials could exploit this vulnerability by sending a crafted HTTP request to an affected system.

Affected (10)

Products: Sierrawireless: Gx440 Firmware, Es440 Firmware, Ls300 Firmware, Gx400 Firmware, Es450 Firmware, Rv50 Firmware, Rv50x Firmware, Mp70 Firmware, Mp70e Firmware, Gx450 Firmware

10 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Gx440 Firmware	Before 4.4.5

Running on/with	Platform Versions
Sierrawireless Gx440	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Es440 Firmware	Before 4.4.5

Running on/with	Platform Versions
Sierrawireless Es440	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Ls300 Firmware	Before 4.4.5

Running on/with	Platform Versions
Sierrawireless Ls300	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Gx400 Firmware	Before 4.4.5

Running on/with	Platform Versions
Sierrawireless Gx400	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Es450 Firmware	Before 4.9

Running on/with	Platform Versions
Sierrawireless Es450	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Rv50 Firmware	Before 4.9

Running on/with	Platform Versions
Sierrawireless Rv50	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Rv50x Firmware	Before 4.9

Running on/with	Platform Versions
Sierrawireless Rv50x	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Mp70 Firmware	Before 4.9

Running on/with	Platform Versions
Sierrawireless Mp70	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Mp70e Firmware	Before 4.9

Running on/with	Platform Versions
Sierrawireless Mp70e	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sierrawireless Gx450 Firmware	Before 4.9

Running on/with	Platform Versions
Sierrawireless Gx450	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/swi-psa-2018-003-technical-bulletin-reaper/

Source: cve@mitre.org

MitigationVendor Advisory

https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/swi-psa-2018-003-technical-bulletin-reaper/

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.