A vulnerability was found in cpp-ethereum JSON-RPC (the affected version is unknown) and classified as critical. This issue affects an unknown code of the component admin_peers API. The manipulation as part of a JSON Request leads to a improper authorization vulnerability. Using CWE to declare the problem leads to CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

An exploitable improper authorization vulnerability exists in admin_peers API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.

The bug was discovered 01/09/2018. The weakness was published 01/19/2018 by Cisco with Cisco Talos (Website). It is possible to read the advisory at securityfocus.com. The identification of this vulnerability is CVE-2017-12114 since 07/31/2017. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1548.002 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 10 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entries are available at 112233, 112234, 112236 and 112237.

Productinfo

Vendor

• cpp-ethereum

Name

• JSON-RPC

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion