CVE-2018-10990

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.

CVSS v3 8.0 HIGH
CVSS v2.0 7.5 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:C

Exploitability : 6.8 / Impact : 8.5

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact COMPLETE

References

Link	Resource
https://medium.com/%40AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:commscope:arris_tg1682g_firmware:9.1.103j6:*:*:*:*:*:*:*

cpe:2.3:h:commscope:arris_tg1682g:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-05-14 14:29

Updated : 2023-11-07 02:51

NVD link : CVE-2018-10990

Mitre link : CVE-2018-10990

CVE.ORG link : CVE-2018-10990

JSON object : View

Products Affected

commscope

arris_tg1682g_firmware
arris_tg1682g

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2018-10990", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:C", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 8.5, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2018-05-14T14:29:00.350", "references": [{"url": "https://medium.com/%40AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the \"credential\" cookie, which might make it easier for attackers to obtain access at a later time (e.g., \"at least for a few minutes\"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser."}, {"lang": "es", "value": "En dispositivos Arris Touchstone Telephony Gateway TG1682G 9.1.103J6, una acci\u00f3n de finalizaci\u00f3n de sesi\u00f3n no destruye inmediatamente todo el estado del dispositivo relacionado con la validez de la cookie \"credential\", lo que hace que sea m\u00e1s f\u00e1cil para los atacantes obtener acceso posteriormente (por ejemplo, \"al menos un par de minutos\"). NOTA: no existe ninguna documentaci\u00f3n que hable de que se supone que la caracter\u00edstica de finalizaci\u00f3n de sesi\u00f3n de la interfaz de usuario web hace algo m\u00e1s all\u00e1 de eliminar la cookie de una instancia de un navegador web. La acci\u00f3n de finalizar la sesi\u00f3n del lado del cliente no suele considerar casos en los que una persona ha hecho una copia de una cookie fuera de un navegador."}], "lastModified": "2023-11-07T02:51:36.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:commscope:arris_tg1682g_firmware:9.1.103j6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B89139C7-E762-4F5F-A6AD-CC67CFC96136"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:commscope:arris_tg1682g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5D2AFAD9-07CD-4960-801F-A602CB31BD61"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}