CVE-2013-4864
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MiCasaVerde VeraLite home automation controllers. Attackers can exploit the proxy.sh CGI script to send HTTP requests to internal network servers, potentially accessing sensitive systems. All VeraLite devices running firmware version 1.5.408 are affected.
💻 Affected Systems
- MiCasaVerde VeraLite
📦 What is this software?
Veralite Firmware by Micasaverde
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration from internal systems, lateral movement to critical infrastructure, and potential ransomware deployment across connected devices.
Likely Case
Unauthorized access to internal web services, information disclosure from internal servers, and potential credential harvesting from internal applications.
If Mitigated
Limited to port scanning of internal network and minimal information disclosure if proper network segmentation and firewall rules are implemented.
🎯 Exploit Status
Multiple public exploit scripts exist. Exploitation requires only HTTP access to the device's web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after 1.5.408
Vendor Advisory: https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt
Restart Required: Yes
Instructions:
1. Log into VeraLite web interface
2. Navigate to Settings > Advanced > Update Firmware
3. Download and install latest firmware from official MiCasaVerde repository
4. Reboot device after installation completes
🔧 Temporary Workarounds
Network Access Control
linuxBlock external access to VeraLite web interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! 192.168.1.0/24 -j DROP
CGI Script Restriction
linuxDisable or restrict access to vulnerable proxy.sh script
chmod 000 /www/cgi-bin/cmh/proxy.sh
mv /www/cgi-bin/cmh/proxy.sh /www/cgi-bin/cmh/proxy.sh.disabled
🧯 If You Can't Patch
- Isolate VeraLite device on separate VLAN with strict firewall rules preventing outbound requests to internal networks
- Implement web application firewall (WAF) rules to block requests containing 'proxy.sh' or suspicious URL parameters
🔍 How to Verify
Check if Vulnerable:
Access http://[device-ip]/cgi-bin/cmh/proxy.sh?url=http://localhost and check if it returns internal service responsesCheck Version:
curl -s http://[device-ip]/port_3480/data_request?id=lr_DeviceList | grep -i firmwareVerify Fix Applied:
Attempt the same request after patching - should return error or be blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/cmh/proxy.sh with URL parameters
- Unusual outbound connections from VeraLite to internal IPs
Network Indicators:
- HTTP traffic from external IPs to VeraLite on port 80/443 with proxy.sh in URL
- VeraLite making unexpected HTTP requests to internal servers
SIEM Query:
source="veralite-logs" AND uri="/cgi-bin/cmh/proxy.sh" AND url=*🔗 References
- http://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.html
- http://www.exploit-db.com/exploits/27286
- https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt
- http://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.html
- http://www.exploit-db.com/exploits/27286
- https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt
