o A vulnerabilities in the WIZVERA Veraport could allow a remote attacker to cause arbitrary file execution.
o The vulnerability is due to lack of proper input validation of the remote installation.
Remote code execution
o (CVE-2018-5198) A race condition when calling Veraport API allow remote attacker to cause arbitrary file download and execution. This results in remote code execution.
o (CVE-2018-5199) Due to insufficient domain validation, It is possible to overwrite installation file to malicious file. A remote unauthenticated attacker may use this vulnerability to execute arbitrary file.
□ Affected Products
o Update to patched release version(220.127.116.11)
□ Reference site
o Thanks to Youngsung Kim for reporting this vulerabilities through KrCERT/CC's Vulnerability Reward Program.