stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Restructure solution layout by module

Browse Source
This commit is contained in:
master
2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
Download Patch File Download Diff File Expand all files Collapse all files

374
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-advisories.snapshot.json Normal file
View File

@@ -0,0 +1,374 @@
[
{
"advisoryKey": "certcc/vu-294418",
"affectedPackages": [
{
"type": "vendor",
"identifier": "DrayTek Corporation",
"platform": null,
"versionRanges": [
{
"fixedVersion": null,
"introducedVersion": null,
"lastAffectedVersion": null,
"primitives": {
"evr": null,
"hasVendorExtensions": true,
"nevra": null,
"semVer": null,
"vendorExtensions": {
"certcc.vendor.name": "DrayTek Corporation",
"certcc.vendor.statement.raw": "The issue is confirmed, and here is the patch list\nV3912/V3910/V2962/V1000B 4.4.3.6/4.4.5.1\nV2927/V2865/V2866 4.5.1\nV2765/V2766/V2763/V2135 4.5.1\nV2915 4.4.6.1\nV2862/V2926 3.9.9.12\nV2952/3220 3.9.8.8\nV2860/V2925 3.9.8.6\nV2133/V2762/V2832 3.9.9.4\nV2620/LTE200 3.9.9.5",
"certcc.vendor.contactDate": "2025-09-15T19:03:33.6643450+00:00",
"certcc.vendor.statementDate": "2025-09-16T02:27:51.3463350+00:00",
"certcc.vendor.updated": "2025-10-03T11:35:31.1906610+00:00",
"certcc.vendor.statuses": "CVE-2025-10547=affected",
"certcc.vendor.patches": "3220=3.9.8.8;LTE200=3.9.9.5;V1000B=4.4.5.1;V2133=3.9.9.4;V2135=4.5.1;V2620=3.9.9.5;V2762=3.9.9.4;V2763=4.5.1;V2765=4.5.1;V2766=4.5.1;V2832=3.9.9.4;V2860=3.9.8.6;V2862=3.9.9.12;V2865=4.5.1;V2866=4.5.1;V2915=4.4.6.1;V2925=3.9.8.6;V2926=3.9.9.12;V2927=4.5.1;V2952=3.9.8.8;V2962=4.4.5.1;V3910=4.4.3.6;V3912=4.4.3.6"
}
},
"provenance": {
"source": "cert-cc",
"kind": "vendor-range",
"value": "DrayTek Corporation",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
},
"rangeExpression": null,
"rangeKind": "vendor"
}
],
"normalizedVersions": [
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.8.6",
"notes": "DrayTek Corporation::V2860"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.8.6",
"notes": "DrayTek Corporation::V2925"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.8.8",
"notes": "DrayTek Corporation::3220"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.8.8",
"notes": "DrayTek Corporation::V2952"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.12",
"notes": "DrayTek Corporation::V2862"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.12",
"notes": "DrayTek Corporation::V2926"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.4",
"notes": "DrayTek Corporation::V2133"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.4",
"notes": "DrayTek Corporation::V2762"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.4",
"notes": "DrayTek Corporation::V2832"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.5",
"notes": "DrayTek Corporation::LTE200"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "3.9.9.5",
"notes": "DrayTek Corporation::V2620"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.4.3.6",
"notes": "DrayTek Corporation::V3910"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.4.3.6",
"notes": "DrayTek Corporation::V3912"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.4.5.1",
"notes": "DrayTek Corporation::V1000B"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.4.5.1",
"notes": "DrayTek Corporation::V2962"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.4.6.1",
"notes": "DrayTek Corporation::V2915"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2135"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2763"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2765"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2766"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2865"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2866"
},
{
"scheme": "certcc.vendor",
"type": "exact",
"min": null,
"minInclusive": null,
"max": null,
"maxInclusive": null,
"value": "4.5.1",
"notes": "DrayTek Corporation::V2927"
}
],
"statuses": [
{
"provenance": {
"source": "cert-cc",
"kind": "vendor-status",
"value": "DrayTek Corporation:CVE-2025-10547",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
},
"status": "affected"
}
],
"provenance": [
{
"source": "cert-cc",
"kind": "vendor",
"value": "DrayTek Corporation",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
}
]
}
],
"aliases": [
"CVE-2025-10547",
"VU#294418"
],
"credits": [],
"cvssMetrics": [],
"exploitKnown": false,
"language": "en",
"modified": "2025-10-03T11:40:09.876722+00:00",
"provenance": [
{
"source": "cert-cc",
"kind": "document",
"value": "https://www.kb.cert.org/vuls/api/294418/",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
},
{
"source": "cert-cc",
"kind": "map",
"value": "VU#294418",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
}
],
"published": "2025-10-03T11:35:31.026053+00:00",
"references": [
{
"kind": "reference",
"provenance": {
"source": "cert-cc",
"kind": "reference",
"value": "https://www.kb.cert.org/vuls/id/294418",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
},
"sourceTag": "certcc.public",
"summary": null,
"url": "https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/"
},
{
"kind": "reference",
"provenance": {
"source": "cert-cc",
"kind": "reference",
"value": "https://www.kb.cert.org/vuls/id/294418",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
},
"sourceTag": "certcc.public",
"summary": null,
"url": "https://www.draytek.com/support/resources?type=version"
},
{
"kind": "advisory",
"provenance": {
"source": "cert-cc",
"kind": "reference",
"value": "https://www.kb.cert.org/vuls/id/294418",
"decisionReason": null,
"recordedAt": "2025-11-01T08:00:00+00:00",
"fieldMask": []
},
"sourceTag": "certcc.note",
"summary": null,
"url": "https://www.kb.cert.org/vuls/id/294418"
}
],
"severity": null,
"summary": "Overview\nA remote code execution (RCE) vulnerability, tracked as CVE-2025-10547, was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Draytek. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to send specially crafted HTTP requests that cause memory corruption and potentially allow arbitrary code execution.\nDescription\nVigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, VPN, content-filtering, bandwidth management, LAN (local area network), and multi-WAN (wide area network) features. Draytek utilizes a proprietary firmware, DrayOS, on the Vigor router line. DrayOS features the EasyVPN and LAN Web Administrator tool s to facilitate LAN and VPN setup. According to the DrayTek website, \"with EasyVPN, users no longer need to generate WireGuard keys, import OpenVPN configuration files, or upload certificates. Instead, VPN can be successfully established by simply entering the username and password or getting the OTP code by email.\"\nThe LAN Web Administrator provides a browser-based user interface for router management. When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads. If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.\nImpact\nA remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface—or potentially the WAN interface—if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router to then install backdoors, reconfigure network settings, or block traffic. An attacker may also pivot for lateral movement via intercepting internal communications and bypassing VPNs.\nSolution\nThe DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the resources page of the DrayTek webpage, and the security advisory can be found within the about section of the DrayTek webpage. Consult either the CVE listing or the advisory page for a full list of affected products.\nAcknowledgements\nThanks to the reporter, Pierre-Yves MAES of ChapsVision (pymaes@chapsvision.com). This document was written by Ayushi Kriplani.",
"title": "Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface"
}
]

106
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-documents.snapshot.json Normal file
View File

@@ -0,0 +1,106 @@
[
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-summary-2025-09\"",
"lastModified": "2025-09-30T12:00:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.month": "09",
"certcc.scope": "monthly",
"certcc.year": "2025",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "0475f0766d6b96d7dc7683cf6b418055c8ecbef88a73ab5d75ce428fbd0900fc",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/2025/09/summary/"
},
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-summary-2025-10\"",
"lastModified": "2025-10-31T12:00:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.month": "10",
"certcc.scope": "monthly",
"certcc.year": "2025",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "363e3ddcd31770e5f41913328318ca0e5bf384bb059d5673ba14392f29f7296f",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/2025/10/summary/"
},
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-summary-2025\"",
"lastModified": "2025-10-31T12:01:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.scope": "yearly",
"certcc.year": "2025",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "363e3ddcd31770e5f41913328318ca0e5bf384bb059d5673ba14392f29f7296f",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/2025/summary/"
},
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-note-294418\"",
"lastModified": "2025-10-09T16:52:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.endpoint": "note",
"certcc.noteId": "294418",
"certcc.vuid": "VU#294418",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "5dd5c9bcd6ed6f20a2fc07a308af9f420b9a07120fe5934de2a1c26724eb36d3",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/294418/"
},
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-vendors-294418\"",
"lastModified": "2025-10-09T17:05:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.endpoint": "vendors",
"certcc.noteId": "294418",
"certcc.vuid": "VU#294418",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "b81aad835ab289c2ac68262825d0f0d5eb9212bc7b3569c84921d0fe5160734f",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/294418/vendors/"
},
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-vendor-statuses-294418\"",
"lastModified": "2025-10-09T17:12:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.endpoint": "vendors-vuls",
"certcc.noteId": "294418",
"certcc.vuid": "VU#294418",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "6ad928c8a1b0410693417869d83062347747a79da6946404d94d14a2458c23ea",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/294418/vendors/vuls/"
},
{
"contentType": "application/json; charset=utf-8",
"etag": "\"certcc-vuls-294418\"",
"lastModified": "2025-10-09T17:10:00.0000000+00:00",
"metadata": {
"attempts": "1",
"certcc.endpoint": "vuls",
"certcc.noteId": "294418",
"certcc.vuid": "VU#294418",
"fetchedAt": "2025-11-01T08:00:00.0000000+00:00"
},
"sha256": "5de3b82f360e1ff06f15873f55ff10b7c4fc11ca65a5f77a3941a82018a8a7de",
"status": "pending-parse",
"uri": "https://www.kb.cert.org/vuls/api/294418/vuls/"
}
]

92
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-requests.snapshot.json Normal file
View File

@@ -0,0 +1,92 @@
[
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/2025/09/summary/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/2025/10/summary/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/294418/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/294418/vendors/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/294418/vuls/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/294418/vendors/vuls/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/2025/summary/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": "Fri, 31 Oct 2025 12:00:00 GMT",
"ifNoneMatch": "\"certcc-summary-2025-10\""
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/2025/10/summary/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": null,
"ifNoneMatch": null
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/2025/11/summary/"
},
{
"headers": {
"accept": "application/json",
"ifModifiedSince": "Fri, 31 Oct 2025 12:01:00 GMT",
"ifNoneMatch": "\"certcc-summary-2025\""
},
"method": "GET",
"uri": "https://www.kb.cert.org/vuls/api/2025/summary/"
}
]

13
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/certcc-state.snapshot.json Normal file
View File

@@ -0,0 +1,13 @@
{
"backoffUntil": null,
"failCount": 0,
"lastFailure": null,
"lastRun": "2025-11-01T08:00:00.0000000Z",
"lastSuccess": "2025-11-01T08:00:00+00:00",
"pendingNotes": [],
"pendingSummaries": [],
"summary": {
"end": "2025-10-17T08:00:00.0000000Z",
"start": "2025-09-17T08:00:00.0000000Z"
}
}

4
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025-09.json Normal file
View File

@@ -0,0 +1,4 @@
{
"count": 0,
"notes": []
}

6
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025-10.json Normal file
View File

@@ -0,0 +1,6 @@
{
"count": 1,
"notes": [
"VU#294418"
]
}

4
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025-11.json Normal file
View File

@@ -0,0 +1,4 @@
{
"count": 0,
"notes": []
}

6
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/summary-2025.json Normal file
View File

@@ -0,0 +1,6 @@
{
"count": 1,
"notes": [
"VU#294418"
]
}

11
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vendor-statuses-294418.json Normal file
View File

@@ -0,0 +1,11 @@
[
{
"vul": "CVE-2025-10547",
"vendor": "DrayTek Corporation",
"status": "Affected",
"date_added": "2025-10-03T11:35:31.202991Z",
"dateupdated": "2025-10-03T11:40:09.944401Z",
"references": null,
"statement": null
}
]

12
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vendors-294418.json Normal file
View File

@@ -0,0 +1,12 @@
[
{
"note": "294418",
"contact_date": "2025-09-15T19:03:33.664345Z",
"vendor": "DrayTek Corporation",
"references": "",
"statement": "The issue is confirmed, and here is the patch list\r\n\r\nV3912/V3910/V2962/V1000B\t4.4.3.6/4.4.5.1\r\nV2927/V2865/V2866\t4.5.1\r\nV2765/V2766/V2763/V2135\t4.5.1\r\nV2915\t4.4.6.1\r\nV2862/V2926\t3.9.9.12\r\nV2952/3220\t3.9.8.8\r\nV2860/V2925\t3.9.8.6\r\nV2133/V2762/V2832\t3.9.9.4\r\nV2620/LTE200\t3.9.9.5",
"dateupdated": "2025-10-03T11:35:31.190661Z",
"statement_date": "2025-09-16T02:27:51.346335Z",
"addendum": null
}
]

87
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-257161.json Normal file
View File

@@ -0,0 +1,87 @@
{
"vuid": "VU#257161",
"idnumber": "257161",
"name": "Treck IP stacks contain multiple vulnerabilities",
"keywords": null,
"overview": "### Overview\r\nTreck IP stack implementations for embedded systems are affected by multiple vulnerabilities. This set of vulnerabilities was researched and reported by JSOF, who calls them [Ripple20](https://www.jsof-tech.com/ripple20/).\r\n\r\n### Description\r\nTreck IP network stack software is designed for and used in a variety of embedded systems. The software can be licensed and integrated in various ways, including compiled from source, licensed for modification and reuse and finally as a dynamic or static linked library. Treck IP software contains multiple vulnerabilities, most of which are caused by [memory management bugs](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152142). For more details on the vulnerabilities introduced by these bugs, see Treck's [ Vulnerability Response Information](https://treck.com/vulnerability-response-information/) and JSOF's [Ripple20 advisory](https://www.jsof-tech.com/ripple20/).\r\n\r\nHistorically-related KASAGO TCP/IP middleware from Zuken Elmic (formerly Elmic Systems) is also affected by some of these vulnerabilities. \r\n\r\nThese vulnerabilities likely affect industrial control systems and medical devices. Please see ICS-CERT Advisory [ICSA-20-168-01](https://www.us-cert.gov/ics/advisories/icsa-20-168-01) for more information.\r\n\r\n### Impact ###\r\nThe impact of these vulnerabilities will vary due to the combination of build and runtime options used while developing different embedded systems. This diversity of implementations and the lack of supply chain visibility has exasperated the problem of accurately assessing the impact of these vulnerabilities. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause a denial of service, disclose information, or execute arbitrary code.\r\n\r\n### Solution\r\n#### Apply updates\r\nUpdate to the latest stable version of Treck IP stack software (6.0.1.67 or later). Please contact Treck at <security@treck.com>. Downstream users of embedded systems that incorporate Treck IP stacks should contact their embedded system vendor.\r\n\r\n#### Block anomalous IP traffic\r\nConsider blocking network attacks via deep packet inspection. In some cases, modern switches, routers, and firewalls will drop malformed packets with no additional configuration. It is recommended that such security features are not disabled. Below is a list of possible mitigations that can be applied as appropriate to your network environment.\r\n\r\n* Normalize or reject IP fragmented packets (IP Fragments) if not supported in your environment \r\n* Disable or block IP tunneling, both IPv6-in-IPv4 or IP-in-IP tunneling if not required\r\n* Block IP source routing and any IPv6 deprecated features like routing headers (see also [VU#267289](https://www.kb.cert.org/vuls/id/267289))\r\n* Enforce TCP inspection and reject malformed TCP packets \r\n* Block unused ICMP control messages such MTU Update and Address Mask updates\r\n* Normalize DNS through a secure recursive server or application layer firewall\r\n* Ensure that you are using reliable OSI layer 2 equipment (Ethernet)\r\n* Provide DHCP/DHCPv6 security with feature like DHCP snooping\r\n* Disable or block IPv6 multicast if not used in switching infrastructure\r\n\r\nFurther recommendations are available [here](https://github.com/CERTCC/PoC-Exploits/blob/master/vu-257161/recommendations.md).\r\n\r\n#### Detect anomalous IP traffic\r\nSuricata IDS has built-in decoder-event rules that can be customized to detect attempts to exploit these vulnerabilities. See the rule below for an example. A larger set of selected [vu-257161.rules](https://github.com/CERTCC/PoC-Exploits/blob/master/vu-257161/vu-257161.rules) are available from the CERT/CC Github repository.\r\n\r\n`#IP-in-IP tunnel with fragments` \r\n`alert ip any any -> any any (msg:\"VU#257161:CVE-2020-11896, CVE-2020-11900 Fragments inside IP-in-IP tunnel https://kb.cert.org/vuls/id/257161\"; ip_proto:4; fragbits:M; sid:1367257161; rev:1;)`\r\n\r\n### Acknowledgements\r\nMoshe Kol and Shlomi Oberman of JSOF https://jsof-tech.com researched and reported these vulnerabilities. Treck worked closely with us and other stakeholders to coordinate the disclosure of these vulnerabilities.\r\n\r\nThis document was written by Vijay Sarvepalli.",
"clean_desc": null,
"impact": null,
"resolution": null,
"workarounds": null,
"sysaffected": null,
"thanks": null,
"author": null,
"public": [
"https://www.jsof-tech.com/ripple20/",
"https://treck.com/vulnerability-response-information/",
"https://www.us-cert.gov/ics/advisories/icsa-20-168-01",
"https://jvn.jp/vu/JVNVU94736763/index.html"
],
"cveids": [
"CVE-2020-11902",
"CVE-2020-11913",
"CVE-2020-11898",
"CVE-2020-11907",
"CVE-2020-11901",
"CVE-2020-11903",
"CVE-2020-11904",
"CVE-2020-11906",
"CVE-2020-11910",
"CVE-2020-11911",
"CVE-2020-11912",
"CVE-2020-11914",
"CVE-2020-11899",
"CVE-2020-11896",
"CVE-2020-11897",
"CVE-2020-11905",
"CVE-2020-11908",
"CVE-2020-11900",
"CVE-2020-11909",
"CVE-2020-0597",
"CVE-2020-0595",
"CVE-2020-8674",
"CVE-2020-0594"
],
"certadvisory": null,
"uscerttechnicalalert": null,
"datecreated": "2020-06-16T17:13:53.220714Z",
"publicdate": "2020-06-16T00:00:00Z",
"datefirstpublished": "2020-06-16T17:13:53.238540Z",
"dateupdated": "2022-09-20T01:54:35.485507Z",
"revision": 48,
"vrda_d1_directreport": null,
"vrda_d1_population": null,
"vrda_d1_impact": null,
"cam_widelyknown": null,
"cam_exploitation": null,
"cam_internetinfrastructure": null,
"cam_population": null,
"cam_impact": null,
"cam_easeofexploitation": null,
"cam_attackeraccessrequired": null,
"cam_scorecurrent": null,
"cam_scorecurrentwidelyknown": null,
"cam_scorecurrentwidelyknownexploited": null,
"ipprotocol": null,
"cvss_accessvector": null,
"cvss_accesscomplexity": null,
"cvss_authentication": null,
"cvss_confidentialityimpact": null,
"cvss_integrityimpact": null,
"cvss_availabilityimpact": null,
"cvss_exploitablity": null,
"cvss_remediationlevel": null,
"cvss_reportconfidence": null,
"cvss_collateraldamagepotential": null,
"cvss_targetdistribution": null,
"cvss_securityrequirementscr": null,
"cvss_securityrequirementsir": null,
"cvss_securityrequirementsar": null,
"cvss_basescore": null,
"cvss_basevector": null,
"cvss_temporalscore": null,
"cvss_environmentalscore": null,
"cvss_environmentalvector": null,
"metric": null,
"vulnote": 7
}

12
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-294418-vendors.json Normal file
View File

@@ -0,0 +1,12 @@
[
{
"note": "294418",
"contact_date": "2025-09-15T19:03:33.664345Z",
"vendor": "DrayTek Corporation",
"references": "",
"statement": "The issue is confirmed, and here is the patch list\r\n\r\nV3912/V3910/V2962/V1000B\t4.4.3.6/4.4.5.1\r\nV2927/V2865/V2866\t4.5.1\r\nV2765/V2766/V2763/V2135\t4.5.1\r\nV2915\t4.4.6.1\r\nV2862/V2926\t3.9.9.12\r\nV2952/3220\t3.9.8.8\r\nV2860/V2925\t3.9.8.6\r\nV2133/V2762/V2832\t3.9.9.4\r\nV2620/LTE200\t3.9.9.5",
"dateupdated": "2025-10-03T11:35:31.190661Z",
"statement_date": "2025-09-16T02:27:51.346335Z",
"addendum": null
}
]

11
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-294418-vuls.json Normal file
View File

@@ -0,0 +1,11 @@
[
{
"note": "294418",
"cve": "2025-10547",
"description": "An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.",
"uid": "CVE-2025-10547",
"case_increment": 1,
"date_added": "2025-10-03T11:35:31.177872Z",
"dateupdated": "2025-10-03T11:40:09.915649Z"
}
]

63
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vu-294418.json Normal file
View File

@@ -0,0 +1,63 @@
{
"vuid": "VU#294418",
"idnumber": "294418",
"name": "Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface",
"keywords": null,
"overview": "### Overview\r\nA remote code execution (RCE) vulnerability, tracked as CVE-2025-10547, was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Draytek. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to send specially crafted HTTP requests that cause memory corruption and potentially allow arbitrary code execution.\r\n\t\r\n### Description\r\nVigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, VPN, content-filtering, bandwidth management, LAN (local area network), and multi-WAN (wide area network) features. Draytek utilizes a proprietary firmware, DrayOS, on the Vigor router line. DrayOS features the EasyVPN and LAN Web Administrator tool s to facilitate LAN and VPN setup. According to the DrayTek [website](https://www.draytek.com/support/knowledge-base/12023), \"with EasyVPN, users no longer need to generate WireGuard keys, import OpenVPN configuration files, or upload certificates. Instead, VPN can be successfully established by simply entering the username and password or getting the OTP code by email.\" \r\n\r\nThe LAN Web Administrator provides a browser-based user interface for router management. When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads. If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.\r\n\r\n### Impact\r\nA remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface\u2014or potentially the WAN interface\u2014if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router to then install backdoors, reconfigure network settings, or block traffic. An attacker may also pivot for lateral movement via intercepting internal communications and bypassing VPNs. \r\n\r\n### Solution\r\nThe DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the [resources](https://www.draytek.com/support/resources?type=version) page of the DrayTek webpage, and the security advisory can be found within the [about](https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/) section of the DrayTek webpage. Consult either the CVE [listing](https://nvd.nist.gov/vuln/detail/CVE-2025-10547) or the [advisory page](https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/) for a full list of affected products. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, Pierre-Yves MAES of ChapsVision (pymaes@chapsvision.com). This document was written by Ayushi Kriplani.",
"clean_desc": null,
"impact": null,
"resolution": null,
"workarounds": null,
"sysaffected": null,
"thanks": null,
"author": null,
"public": [
"https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities/",
"https://www.draytek.com/support/resources?type=version"
],
"cveids": [
"CVE-2025-10547"
],
"certadvisory": null,
"uscerttechnicalalert": null,
"datecreated": "2025-10-03T11:35:31.224065Z",
"publicdate": "2025-10-03T11:35:31.026053Z",
"datefirstpublished": "2025-10-03T11:35:31.247121Z",
"dateupdated": "2025-10-03T11:40:09.876722Z",
"revision": 2,
"vrda_d1_directreport": null,
"vrda_d1_population": null,
"vrda_d1_impact": null,
"cam_widelyknown": null,
"cam_exploitation": null,
"cam_internetinfrastructure": null,
"cam_population": null,
"cam_impact": null,
"cam_easeofexploitation": null,
"cam_attackeraccessrequired": null,
"cam_scorecurrent": null,
"cam_scorecurrentwidelyknown": null,
"cam_scorecurrentwidelyknownexploited": null,
"ipprotocol": null,
"cvss_accessvector": null,
"cvss_accesscomplexity": null,
"cvss_authentication": null,
"cvss_confidentialityimpact": null,
"cvss_integrityimpact": null,
"cvss_availabilityimpact": null,
"cvss_exploitablity": null,
"cvss_remediationlevel": null,
"cvss_reportconfidence": null,
"cvss_collateraldamagepotential": null,
"cvss_targetdistribution": null,
"cvss_securityrequirementscr": null,
"cvss_securityrequirementsir": null,
"cvss_securityrequirementsar": null,
"cvss_basescore": null,
"cvss_basevector": null,
"cvss_temporalscore": null,
"cvss_environmentalscore": null,
"cvss_environmentalvector": null,
"metric": null,
"vulnote": 142
}

11
src/Concelier/__Tests/StellaOps.Concelier.Connector.CertCc.Tests/Fixtures/vulnerabilities-294418.json Normal file
View File

@@ -0,0 +1,11 @@
[
{
"note": "294418",
"cve": "2025-10547",
"description": "An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption.",
"uid": "CVE-2025-10547",
"case_increment": 1,
"date_added": "2025-10-03T11:35:31.177872Z",
"dateupdated": "2025-10-03T11:40:09.915649Z"
}
]