NoviFlow NoviWare <= NW400.2.6 multiple vulnerabilities Introduction ========== NoviWare is a high-performance OpenFlow 1.3, 1.4 and 1.5 compliant switch software developed by NoviFlow and available for license to network equipment manufacturers. Multiple vulnerabilities were identified in the NoviWare software deployed on NoviSwitch devices. They could allow a remote attacker to gain privileged code execution on the switch (non-default configuration) or a low-privileged CLI user to execute code as root. CVEs ===== * CVE-2017-12784: remote code execution in novi_process_manager_daemon Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) * CVE-2017-12785: cli breakout in novish Indicative CVSS v2 base score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C) * CVE-2017-12786: remote code execution in noviengine and cliengine Indicative CVSS v2 base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected versions ============== NoviWare <= NW400.2.6 and devices where a vulnerable NoviWare version is deployed Author ====== FranASSois Goichon - Google Security Team CVE-2017-12784 ============== Remote code execution in novi_process_manager_daemon Summary ------------- The NoviWare switching software distribution is prone to two distinct bugs which could potentially allow a remote, unauthenticated attacker to gain privileged (root) code execution on the switch device. - A flaw when applying ACL changes requested from the CLI could expose the novi_process_manager_daemon network service - This network service is prone to command injection and a stack-based buffer overflow Reproduction ------------------ If TCP port 2020 is accepting connections from the network, the following python script can be used to ping yourself on vulnerable versions : --- from struct import pack import socket s = socket.socket() s.connect((, 2020)) payload = pack("; echo\x00" s.sendall(pack(", <9090 or 12345>)) payload = "".join([pack("