SUMMARY

The following vulnerabilities were found in the Cerner Connectivity Engine (CCE) embedded device software.

CVE-2018-20052

An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. E.g. “sudo ln -s /tmp/script /etc/cron.hourly/script” command.

CVE-2018-20053

A vulnerability was discovered on Cerner Connectivity Engine (CCE) 4 devices that allows for remote code execution. The hostname, timezone, and NTP server configurations on the CCE device are vulnerable to command injection by sending a unauthenticated, specially crafted configuration file over the network.

IMPACT

IMPACT

Access Vector:
Complexity:
Authentication:
Impact Type:
Privilege Level:
Credit:

Local
Low
None
Privilege Escalation
Root
Robert Roberson, Bryan Rhodes

Access Vector:
Complexity:
Authentication:
Impact Type:
Privilege Level:
Credit:

Remote
Low
None
Code Execution
Unprivileged
Ryan Wincey, Robert Roberson

AFFECTED PRODUCTS

  • Cerner Connectivity Engine 4 Firmware build prior to 12/2018

SOFTWARE FIXES

  • Please update to any firmware version released after 12/2018.

TIMELINE

12.05.2018

Contacted Cerner About Vulnerabilties

12.13.2018

Received Response With Request For Details

03.14.2018

Vendor Provides Updated Patch & Gives Disclosure Green Light

REFERENCES