CVE-2017-9383 – This vulnerability allows remote command inject... (How to Fix)

Q: What is the severity of CVE-2017-9383?

CVE-2017-9383 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows remote command injection on VeraEdge and Veralite IoT devices through UPnP services. Attackers can execute arbitrary commands on the device by injecting malicious parameters into the wget service URL parameter. All users of affected Vera devices with UPnP enabled are vulnerable.

📋 TL;DR

This vulnerability allows remote command injection on VeraEdge and Veralite IoT devices through UPnP services. Attackers can execute arbitrary commands on the device by injecting malicious parameters into the wget service URL parameter. All users of affected Vera devices with UPnP enabled are vulnerable.

💻 Affected Systems

Products:

Vera VeraEdge
Vera Veralite

Versions: VeraEdge 1.7.19 and earlier, Veralite 1.7.481 and earlier

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with UPnP enabled (default) are vulnerable. The vulnerability exists in the UPnP service implementation.

📦 What is this software?

Veraedge Firmware by Getvera

View all CVEs affecting Veraedge Firmware →

Veralite Firmware by Getvera

View all CVEs affecting Veralite Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to execute arbitrary commands as root, install persistent backdoors, pivot to internal networks, and potentially brick devices.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and use as botnet nodes or attack platforms.

🟢

If Mitigated

Limited impact if UPnP services are disabled or network access is restricted, though devices remain vulnerable to internal attackers.

🌐 Internet-Facing: HIGH - UPnP services are exposed on port 3480 and port 80, making devices directly accessible from the internet if not properly firewalled.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows network-adjacent attackers to compromise devices without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and uses simple HTTP requests with command injection in URL parameters. Public exploit code exists in multiple repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to newer Vera devices or alternative platforms as VeraEdge/Veralite are end-of-life products.

🔧 Temporary Workarounds

Disable UPnP Services

all

Disable UPnP functionality on affected devices to prevent exploitation

Access device web interface -> Settings -> Network -> Disable UPnP

Block External Access

linux

Configure firewall to block external access to ports 3480 and 80

iptables -A INPUT -p tcp --dport 3480 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Isolate affected devices on separate VLAN with strict network segmentation
Implement network monitoring for suspicious traffic to/from port 3480

🔍 How to Verify

Check if Vulnerable:

Test if UPnP service responds on port 3480 or port 80 /port_3480 endpoint. Attempt to access http://device_ip:3480 or http://device_ip/port_3480

Check Version:

Check device web interface or SSH to device and run 'cat /etc/version'

Verify Fix Applied:

Verify UPnP services are disabled by checking that ports 3480 and 80 no longer respond to UPnP requests

📡 Detection & Monitoring

Log Indicators:

Unusual wget or curl commands in system logs
HTTP requests to /port_3480 with suspicious URL parameters
Command execution attempts in UPnP service logs

Network Indicators:

HTTP POST/GET requests to port 3480 with shell metacharacters in parameters
Outbound connections from device to unexpected external IPs following UPnP requests

SIEM Query:

source="device_logs" AND (url="*port_3480*" AND (param="*;*" OR param="*|*" OR param="*`*"))

📊 Metadata

CVE ID: CVE-2017-9383

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-287

Published: June 17, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html Third Party Advisory,VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf Exploit,Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8 Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/153242/Veralite-Veraedge-Router-XSS-Command-Injection-CSRF-Traversal.html Third Party Advisory,VDB Entry
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Vera_sec_issues.pdf Exploit,Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-9383, you might also want to check these: