CVE-2013-6881
critical
CVSS v3
—
CVSS v2
10.0
VIR risk
10.0
Description
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013oct15a/
Vendor advisory: cve@mitre.org — http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013jun30a/
Vendor advisory: cve@mitre.org — http://secunia.com/advisories/55989
References
- http://packetstormsecurity.com/files/124420/Ditto-Forensic-FieldStation-2013Oct15a-XSS-CSRF-Command-Execution.html
- http://seclists.org/fulldisclosure/2013/Dec/80
- http://secunia.com/advisories/55989
- http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013jun30a/
- http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013oct15a/
- http://www.exploit-db.com/exploits/30396
- http://packetstormsecurity.com/files/124420/Ditto-Forensic-FieldStation-2013Oct15a-XSS-CSRF-Command-Execution.html
- http://seclists.org/fulldisclosure/2013/Dec/80
- http://secunia.com/advisories/55989
- http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013jun30a/
- http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013oct15a/
- http://www.exploit-db.com/exploits/30396
CWEs
CWE-78
Verify integrity in audit chain (admin only). AS-IS.