SUMMARY
The following vulnerabilities were found in the Cerner Connectivity Engine (CCE) embedded device software.
CVE-2018-20052
An issue was discovered on Cerner Connectivity Engine (CCE) 4 devices. The user running the main CCE firmware has NOPASSWD sudo privileges to several utilities that could be used to escalate privileges to root. E.g. “sudo ln -s /tmp/script /etc/cron.hourly/script” command.
CVE-2018-20053
A vulnerability was discovered on Cerner Connectivity Engine (CCE) 4 devices that allows for remote code execution. The hostname, timezone, and NTP server configurations on the CCE device are vulnerable to command injection by sending a unauthenticated, specially crafted configuration file over the network.
IMPACT
IMPACT
Access Vector:
Complexity:
Authentication:
Impact Type:
Privilege Level:
Credit:
Local
Low
None
Privilege Escalation
Root
Robert Roberson, Bryan Rhodes
Access Vector:
Complexity:
Authentication:
Impact Type:
Privilege Level:
Credit:
Remote
Low
None
Code Execution
Unprivileged
Ryan Wincey, Robert Roberson