Sign-up

ID

VAR-201202-0093


CVE

CVE-2012-0314


TITLE

Emobile Pocket WiFi GP02 Cross-Site Request Forgery Vulnerability

Trust: 1.5

sources: CNVD: CNVD-2012-0386 // BID: 51782 // CNNVD: CNNVD-201202-040

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities on the eAccess Pocket WiFi (aka GP02) router before 2.00 with firmware 11.203.11.05.168 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device. Pocket WiFi (GP02) contains a cross-site request forgery vulnerability. Pocket WiFi (GP02) provided by eAccess Ltd. is a mobile wireless LAN router. Pocket WiFi (GP02) contains a cross-site request forgery vulnerability. Naoto Katsumi of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, settings of Pocket WiFi (GP02) may be initialized, or Pocket WiFi (GP02) may be rebooted. Successful exploits can result in privileged commands running on the affected devices, including changing settings and rebooting the device. This may lead to further network-based attacks. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Emobile Pocket WiFi GP02 Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA47795 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47795/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47795 RELEASE DATE: 2012-02-01 DISCUSS ADVISORY: http://secunia.com/advisories/47795/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47795/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47795 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Emobile Pocket Wifi GP02, which can be exploited by malicious people to conduct cross-site request forgery attacks. The device's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change settings and reboot the device by tricking a logged in user into visiting a malicious web site. SOLUTION: Install update. Please see the vendor's link for details. PROVIDED AND/OR DISCOVERED BY: JVN credits Naoto Katsumi, LAC Co. ORIGINAL ADVISORY: JVN (English): http://jvndb.jvn.jp/en/contents/2012/JVNDB-2012-000010.html http://jvn.jp/en/jp/JVN33021167/index.html JVN (Japanese): http://jvn.jp/jp/JVN33021167/index.html Emobile: http://emobile.jp/topics/info20120201_01.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.61

sources: NVD: CVE-2012-0314 // JVNDB: JVNDB-2012-000010 // CNVD: CNVD-2012-0386 // BID: 51782 // VULHUB: VHN-53595 // PACKETSTORM: 109350

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2012-0386

AFFECTED PRODUCTS

vendor:emobilemodel:pocket wifiscope:lteversion:11.203.11.05.168

Trust: 1.0

vendor:emobilemodel:pocket wifiscope:lteversion:2.0

Trust: 1.0

vendor:eaccessmodel:emobile pocket wifi gp02scope:eqversion:11.203.11.05.168

Trust: 0.9

vendor:eaccessmodel:pocket wifiscope:lteversion:firmware version 11.203.11.05.168 earlier

Trust: 0.8

vendor:emobilemodel:pocket wifiscope:eqversion:11.203.11.05.168

Trust: 0.6

sources: CNVD: CNVD-2012-0386 // BID: 51782 // JVNDB: JVNDB-2012-000010 // CNNVD: CNNVD-201202-040 // NVD: CVE-2012-0314

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-0314
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2012-000010
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201202-040
value: MEDIUM

Trust: 0.6

VULHUB: VHN-53595
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2012-0314
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2012-000010
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-53595
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-53595 // JVNDB: JVNDB-2012-000010 // CNNVD: CNNVD-201202-040 // NVD: CVE-2012-0314

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-53595 // JVNDB: JVNDB-2012-000010 // NVD: CVE-2012-0314

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-040

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201202-040

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-000010

PATCH
title:Update information -- 2012/2/1 Pocket WiFi (GP02) availableurl:http://emobile.jp/topics/info20120201_01.html
Trust: 0.8
title:Emobile Pocket WiFi GP02 Cross-Site Request Forgery Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/8686
Trust: 0.6
title:GP02_Firm_Update_win_V2_00url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42570
Trust: 0.6
title:GP02_Firm_Update_mac_V2_00url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42571
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2012-0386 // 
            
            
            
            JVNDB: JVNDB-2012-000010 // 
            
            
            
            CNNVD: CNNVD-201202-040

EXTERNAL IDS
db:NVDid:CVE-2012-0314
Trust: 3.4
db:JVNid:JVN33021167
Trust: 2.9
db:JVNDBid:JVNDB-2012-000010
Trust: 2.9
db:SECUNIAid:47795
Trust: 2.0
db:BIDid:51782
Trust: 2.0
db:CNNVDid:CNNVD-201202-040
Trust: 0.7
db:CNVDid:CNVD-2012-0386
Trust: 0.6
db:JVNid:JVN#33021167
Trust: 0.6
db:VULHUBid:VHN-53595
Trust: 0.1
db:PACKETSTORMid:109350
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2012-0386 // 
            
            
            
            VULHUB: VHN-53595 // 
            
            
            
            BID: 51782 // 
            
            
            
            JVNDB: JVNDB-2012-000010 // 
            
            
            
            PACKETSTORM: 109350 // 
            
            
            
            CNNVD: CNNVD-201202-040 // 
            
            
            
            NVD: CVE-2012-0314

REFERENCES
url:http://jvn.jp/en/jp/jvn33021167/index.html
Trust: 2.6
url:http://emobile.jp/topics/info20120201_01.html
Trust: 1.8
url:http://www.securityfocus.com/bid/51782
Trust: 1.7
url:http://jvndb.jvn.jp/jvndb/jvndb-2012-000010
Trust: 1.7
url:http://secunia.com/advisories/47795
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-0314
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-0314
Trust: 0.8
url:http://secunia.com/advisories/47795/
Trust: 0.7
url:http://jvndb.jvn.jp/en/contents/2012/jvndb-2012-000010.html
Trust: 0.4
url:http://www.jvn.jp/en/jp/jvn33021167/index.html
Trust: 0.3
url:http://emobile.jp/products/hw/gp02/
Trust: 0.3
url:http://secunia.com/advisories/47795/#comments
Trust: 0.1
url:http://jvn.jp/jp/jvn33021167/index.html
Trust: 0.1
url:http://secunia.com/company/jobs/
Trust: 0.1
url:http://secunia.com/vulnerability_intelligence/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47795
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2012-0386 // 
            
            
            
            VULHUB: VHN-53595 // 
            
            
            
            BID: 51782 // 
            
            
            
            JVNDB: JVNDB-2012-000010 // 
            
            
            
            PACKETSTORM: 109350 // 
            
            
            
            CNNVD: CNNVD-201202-040 // 
            
            
            
            NVD: CVE-2012-0314

CREDITS
Naoto Katsumi of LAC Co
Trust: 0.9
sources:
            
            
            BID: 51782 // 
            
            
            
            CNNVD: CNNVD-201202-040

SOURCES
db:CNVDid:CNVD-2012-0386
db:VULHUBid:VHN-53595
db:BIDid:51782
db:JVNDBid:JVNDB-2012-000010
db:PACKETSTORMid:109350
db:CNNVDid:CNNVD-201202-040
db:NVDid:CVE-2012-0314

LAST UPDATE DATE
2024-08-14T15:35:17.487000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2012-0386date:2012-02-03T00:00:00
db:VULHUBid:VHN-53595date:2012-02-09T00:00:00
db:BIDid:51782date:2012-02-01T00:00:00
db:JVNDBid:JVNDB-2012-000010date:2012-02-01T00:00:00
db:CNNVDid:CNNVD-201202-040date:2012-02-06T00:00:00
db:NVDid:CVE-2012-0314date:2012-02-09T04:10:12.143

SOURCES RELEASE DATE
db:CNVDid:CNVD-2012-0386date:2012-02-03T00:00:00
db:VULHUBid:VHN-53595date:2012-02-03T00:00:00
db:BIDid:51782date:2012-02-01T00:00:00
db:JVNDBid:JVNDB-2012-000010date:2012-02-01T00:00:00
db:PACKETSTORMid:109350date:2012-02-02T03:30:42
db:CNNVDid:CNNVD-201202-040date:1900-01-01T00:00:00
db:NVDid:CVE-2012-0314date:2012-02-03T04:05:51.333