CVE-2017-7649: Improper Authentication

September 11, 2017 (updated September 29, 2017)

Kura takes control over the device’s firewall setup but does not allow IPv6 firewall rules to be configured. The Equinox console port is left open, logs into Kura without any user credentials over unencrypted telnet and executes commands using the Equinox exec command. As the process is running as root full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address.

References

nvd.nist.gov/vuln/detail/CVE-2017-7649

Detect and mitigate CVE-2017-7649 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →