CVE-2017-18370

The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.

CVSS v3 8.8 HIGH
CVSS v2.0 9.0 HIGH

8.8^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.zyxel.com/support/announcement_unauthenticated.shtml	Broken Link
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt	Exploit Third Party Advisory
https://seclists.org/fulldisclosure/2017/Jan/40	Mailing List Exploit Third Party Advisory
https://ssd-disclosure.com/index.php/archives/2910	Exploit Technical Description Third Party Advisory
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/	Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:billion:5200w-t_firmware:7.3.8.0:*:*:*:*:*:*:*

cpe:2.3:h:billion:5200w-t:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:p660hn-t1a_v2_firmware:7.3.37.6:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:p660hn-t1a_v2:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:p660hn-t1a_v1_firmware:7.3.37.6:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:p660hn-t1a_v1:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-05-02 17:29

Updated : 2019-10-03 00:03

NVD link : CVE-2017-18370

Mitre link : CVE-2017-18370

CVE.ORG link : CVE-2017-18370

JSON object : View

Products Affected

zyxel

p660hn-t1a_v1_firmware
p660hn-t1a_v2
p660hn-t1a_v2_firmware
p660hn-t1a_v1

billion

5200w-t
5200w-t_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2017-18370", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-05-02T17:29:00.880", "references": [{"url": "http://www.zyxel.com/support/announcement_unauthenticated.shtml", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/fulldisclosure/2017/Jan/40", "tags": ["Mailing List", "Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://ssd-disclosure.com/index.php/archives/2910", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371."}, {"lang": "es", "value": "El router P660HN-T1A v2 TCLinux Fw # 7.3.37.6 de ZyXEL distribuido por TrueOnline tiene una vulnerabilidad de inyecci\u00f3n de comandos en la funci\u00f3n de reenv\u00edo de registro del sistema remoto (Remote System Log forwarding), que solo es accesible por un usuario identificado. La vulnerabilidad est\u00e1 en la p\u00e1gina logSet.asp y puede ser aprovechada por medio del par\u00e1metro ServerIP. La autorizaci\u00f3n se puede lograr mediante la funci\u00f3n de CVE-2017-18371."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:billion:5200w-t_firmware:7.3.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C756E02F-45B7-4F40-AEEC-DCC334023F8B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:billion:5200w-t:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B8F97C92-C53D-4578-92ED-9327E3646FDB"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:p660hn-t1a_v2_firmware:7.3.37.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A338A056-6EC1-4CFB-A10D-1CB8D1771502"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:p660hn-t1a_v2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1C6D563A-3210-4459-BE4D-5CC36CAF6784"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:p660hn-t1a_v1_firmware:7.3.37.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "524CE722-B1A3-43F9-84D5-F63B57D6BCC6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:p660hn-t1a_v1:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3AF29B50-0AE2-444C-A251-C27DEBDC064B"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}