CVE-2017-9381

Vulnerability

The Vera VeraEdge (version 1.7.19) and Veralite (version 1.7.481) devices lack cross-site request forgery (CSRF) protection across all web management interface functionalities [1]. This allows an attacker to craft a malicious page that, when visited by an authenticated user, performs actions such as installing or deleting applications on the device. The issue is systemic across the entire web interface [1].

Exploitation

An attacker only needs to host a specially crafted HTML page that sends HTTP requests to the Vera device on behalf of a logged-in user. No authentication on the attacker's part is required; the attacker must simply trick the victim into visiting the attacker-controlled page while the victim is authenticated to the Vera web interface. The sequence involves: (1) the user logs into the Vera device's management console; (2) the user navigates to the attacker's malicious page; (3) the page submits requests (e.g., via CSRF) to install or delete apps [1].

Impact

A successful CSRF attack can lead to unauthorized installation or deletion of applications on the Vera device. The impact is primarily an integrity violation regarding device configuration. The attacker could potentially install malicious apps or remove critical ones, leading to further compromise or denial of service [1].

Mitigation

As of the referenced advisory [1], no firmware update addressing this CSRF issue was disclosed. Users should avoid browsing untrusted websites while logged into the Vera management interface, and consider using browser extensions or network-level protections that block cross-origin requests to local IPs. The devices may be end-of-life; consult the vendor for any available patches or replacements.