SMC: potentially lead to the remote execution of unauthorized SMC commands on the server

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2019-005 04/30/2019 high v1

Vulnerability details

Potentially lead to the remote execution of unauthorized SMC commands on the server

Products

ProductSeverityDetail
Stormshield Network Security high Potentially lead to the remote execution of unauthorized SMC commands on the server
Stormshield Endpoint Security

None

Not impacted
Stormshield Data Security

None

Not impacted
Fast360

None

Not impacted
Netasq

None

Not impacted

Revisions

Version Date Description
v1 Initial release


Stormshield Network Security

CVSS Overall Score: 9.3      

Analysis

Impacted version

We have found a vulnerability in the authentication process related to a private API on port 1755 TCP of Stormshield Management Center than can potentially lead to the remote execution of unauthorized SMC commands on the server.

All SMC versions since the 1.1.0

Workaround solution

Solution

No workaround.

The 2.5.1 update will fix this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Network Low None Complete Complete Complete
CVSS Base score: 10 CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Remediation Level Report Confidence
High Official fix Confirmed
CVSS Temporal score: 8.7 CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
High High [76-100%]
CVSS Environmental score: 9.3 CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C/CDP:H/TD:H)