CVE-2017-2898 | An exploitable vulnerability exists in the signature verific… | CVSS 9.9 CRITICAL

Description

An exploitable vulnerability exists in the signature verification of the firmware update functionality of Circle with Disney. Specially crafted network packets can cause an unsigned firmware to be installed in the device resulting in arbitrary code execution. An attacker can send a series of packets to trigger this vulnerability.

Metadata

CVE ID: CVE-2017-2898
State: PUBLISHED
Assigner: talos
Reserved: 2016-12-01 00:00 UTC
Published: 2017-11-07 16:00 UTC
Last updated: 2024-09-16 18:28 UTC
Vendor / Product: Circle Media / Circle
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Circle Media	Circle	—	firmware 2.0.1

Weakness (CWE)

CWE	Source	Description
—	cna	arbitrary code execution

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0405