8.8

CVE-2017-5671

Exploit

Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x before 10.12.013309 have /usr/bin/lua installed setuid to the itadmin account, which allows local users to conduct a BusyBox jailbreak attack and obtain root privileges by overwriting the /etc/shadow file.

Data is provided by the National Vulnerability Database (NVD)
HoneywellIntermec Pc23 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
HoneywellIntermec Pc42 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
HoneywellIntermec Pc43 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
HoneywellIntermec Pd43 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
HoneywellIntermec Pm23 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
HoneywellIntermec Pm42 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
HoneywellIntermec Pm43 Firmware Version <= 10.10.011406
   HoneywellIntermec Pc23 Version-
   HoneywellIntermec Pc42 Version-
   HoneywellIntermec Pc43 Version-
   HoneywellIntermec Pd43 Version-
   HoneywellIntermec Pm23 Version-
   HoneywellIntermec Pm42 Version-
   HoneywellIntermec Pm43 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.51% 0.635
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2 6
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

http://www.securityfocus.com/bid/97236
Third Party Advisory
VDB Entry