CVE-2018-14705

In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc	Third Party Advisory
https://www.ise.io/casestudies/sohopelessly-broken-2-0/	Third Party Advisory
https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc	Third Party Advisory
https://www.ise.io/casestudies/sohopelessly-broken-2-0/	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:drobo:5n2_firmware:4.0.5:*:*:*:*:*:*:*

cpe:2.3:h:drobo:5n2:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:49

Type	Values Removed	Values Added
References	~~() https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc - Third Party Advisory~~	() https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc - Third Party Advisory
References	~~() https://www.ise.io/casestudies/sohopelessly-broken-2-0/ - Third Party Advisory~~	() https://www.ise.io/casestudies/sohopelessly-broken-2-0/ - Third Party Advisory

Information

Published : 2020-02-24 19:15

Updated : 2024-11-21 03:49

NVD link : CVE-2018-14705

Mitre link : CVE-2018-14705

CVE.ORG link : CVE-2018-14705

JSON object : View

Products Affected

drobo

5n2
5n2_firmware

CWE

CWE-287

Improper Authentication

{"id": "CVE-2018-14705", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-02-24T19:15:12.010", "references": [{"url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://blog.securityevaluators.com/call-me-a-doctor-new-vulnerabilities-in-drobo5n2-4f1d885df7fc", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.ise.io/casestudies/sohopelessly-broken-2-0/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself."}, {"lang": "es", "value": "En Drobo 5N2 versi\u00f3n 4.0.5, todas las aplicaciones opcionales presentan una carencia de cualquier forma de comprobaci\u00f3n de autenticaci\u00f3n/autorizaci\u00f3n. Como resultado, cualquier usuario capaz de acceder al dispositivo por medio de la red, puede interactuar y controlar estas aplicaciones. Esto no solo plantea un grave riesgo para la disponibilidad de estas aplicaciones, sino que tambi\u00e9n plantea graves riesgos para la confidencialidad e integridad de los datos almacenados dentro de las aplicaciones y del dispositivo en s\u00ed."}], "lastModified": "2024-11-21T03:49:37.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:drobo:5n2_firmware:4.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1668799A-01C3-4B54-9C47-3FB9A61C7F9E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:drobo:5n2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "07D3025D-7247-4F25-9F2D-5F0DDAEEAC08"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}