Sign-up

ID

VAR-201310-0248


CVE

CVE-2013-3963


TITLE

plural Grandstream Product goform/usermanage Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2013-004459

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in goform/usermanage in Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models allows remote attackers to hijack the authentication of unspecified victims for requests that add users. The telnet service in multiple Grandstream products uses a built-in account that allows remote attackers to use this account to gain unauthorized access to factory reset or upgrade firmware. Grandstream is an IP phone, network video surveillance solution vendor. There are cross-site request forgery vulnerabilities in multiple products of the Grandstream WEB interface, allowing attackers to build malicious URIs, enticing login users to resolve, and performing malicious operations in the target user context, such as adding new users. The affected products are as follows: GXV3500GXV3501GXV3504GXV3601GXV3601HD/LLGXV3611HD/LLGXV3615W/PGXV3615WP_HDGXV3651FHDGXV3662HD. Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. Grandstream GXV3501 and others are network camera products of American Grandstream Networks (Grandstream) company. =============================================================================== GRANDSTREAM ==================================================================== =============================================================================== 1.Advisory Information Title: Grandstream Series Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description The following vulnerability has been found in these devices: -CVE-2013-3542. Backdoor in Telnet Protocol(CAPEC-443) -CVE-2013-3962. Cross Site Scripting(CWE-79) -CVE-2013-3963. -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Backdoor in Telnet Protocol CVE-2013-3542, Backdoor in Telnet Protocol You should connect via telnet protocol to any camera affected (it's open by default). After all you should be introduce the magic string \x93 !#/ \x94 as Username and as Password. You will get the admin panel setting menu. If you type "help", the following commands are shown: ======================================================= help, quit, status, restart, restore, upgrade, tty_test ======================================================= @@@ restore (Reset settings to factory default) The attacker can take the device control, so it's make this devices very vulnerables. 4.2.Cross Site Scripting (XSS) CVE-2013-3962, Cross Site Scripting non-persistent. _____________________________________________________________________________ http://xx.xx.xx.xx/<script>alert(123)</script> _____________________________________________________________________________ 4.3.Cross Site Request Forgery (CSRF) CVE-2013-3963, CSRF via GET method. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. You should introduce the following URL to replicate the attack. _____________________________________________________________________________ http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0 _____________________________________________________________________________ 5.Credits -CVE-2013-3542, CVE-2013-3962 and CVE-2013-3963 were discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3542. -2013-05-31: Grandstream team reports to the technical support to analyze the vulnerability. -2013-06-11: Students opens a ticket in order to notify the Grandstream Customer Support of the CVE-2013-3962 and CVE-2013-3963 vulnerabilities

Trust: 3.15

sources: NVD: CVE-2013-3963 // JVNDB: JVNDB-2013-004459 // CNVD: CNVD-2013-08565 // CNVD: CNVD-2013-08564 // BID: 60532 // VULHUB: VHN-63965 // PACKETSTORM: 122004

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 1.2

sources: CNVD: CNVD-2013-08565 // CNVD: CNVD-2013-08564

AFFECTED PRODUCTS

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.16

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.3.9

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.37

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.27

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.7

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.38

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.6

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.34

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.2.3

Trust: 1.6

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.11

Trust: 1.6

vendor:grandstreammodel:gxv3501 gxv3504 ip video encodersscope:eqversion:/

Trust: 1.2

vendor:grandstreammodel:gxv3500 ip video encoder/decoderscope: - version: -

Trust: 1.2

vendor:grandstreammodel:gxv series ip camerasscope: - version: -

Trust: 1.2

vendor:grandstreammodel:gxv devicescope:lteversion:1.0.4.43

Trust: 1.0

vendor:grandstreammodel:gxv3651fhdscope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3501scope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3611hd\/llscope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.42

Trust: 1.0

vendor:grandstreammodel:gxv3615wp hdscope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3615w\/pscope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3662hdscope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3500scope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3504scope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv devicescope:eqversion:1.0.4.39

Trust: 1.0

vendor:grandstreammodel:gxv3601scope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxv3601hd\/llscope:eqversion: -

Trust: 1.0

vendor:grandstreammodel:gxvscope:lteversion:1.0.4.43

Trust: 0.8

vendor:grandstreammodel:gxv3500scope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3501scope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3504scope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3601scope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3601hd/llscope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3611hd/llscope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3615w/pscope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3615wp hdscope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3651fhdscope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3662hdscope: - version: -

Trust: 0.8

vendor:grandstreammodel:gxv3662hdscope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3651fhdscope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3615wp hdscope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3615w/pscope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3611hd/llscope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3601hd/llscope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3601scope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3504scope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3501scope:eqversion:0

Trust: 0.3

vendor:grandstreammodel:gxv3500scope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2013-08565 // CNVD: CNVD-2013-08564 // BID: 60532 // JVNDB: JVNDB-2013-004459 // CNNVD: CNNVD-201306-258 // NVD: CVE-2013-3963

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-3963
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-3963
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-08565
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2013-08564
value: LOW

Trust: 0.6

CNNVD: CNNVD-201306-258
value: MEDIUM

Trust: 0.6

VULHUB: VHN-63965
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-3963
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-08565
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2013-08564
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-63965
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2013-08565 // CNVD: CNVD-2013-08564 // VULHUB: VHN-63965 // JVNDB: JVNDB-2013-004459 // CNNVD: CNNVD-201306-258 // NVD: CVE-2013-3963

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-63965 // JVNDB: JVNDB-2013-004459 // NVD: CVE-2013-3963

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-258

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201306-258

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-004459

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-63965

PATCH
title:Top Pageurl:http://www.grandstream.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-004459

EXTERNAL IDS
db:NVDid:CVE-2013-3963
Trust: 3.5
db:BIDid:60532
Trust: 1.6
db:PACKETSTORMid:122004
Trust: 1.3
db:SECUNIAid:53763
Trust: 1.2
db:JVNDBid:JVNDB-2013-004459
Trust: 0.8
db:CNNVDid:CNNVD-201306-258
Trust: 0.7
db:CNVDid:CNVD-2013-08565
Trust: 0.6
db:CNVDid:CNVD-2013-08564
Trust: 0.6
db:FULLDISCid:20130612 SECURITY ANALYSIS OF IP VIDEO SURVEILLANCE CAMERAS
Trust: 0.6
db:EXPLOIT-DBid:38584
Trust: 0.1
db:VULHUBid:VHN-63965
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-08565 // 
            
            
            
            CNVD: CNVD-2013-08564 // 
            
            
            
            VULHUB: VHN-63965 // 
            
            
            
            BID: 60532 // 
            
            
            
            JVNDB: JVNDB-2013-004459 // 
            
            
            
            PACKETSTORM: 122004 // 
            
            
            
            CNNVD: CNNVD-201306-258 // 
            
            
            
            NVD: CVE-2013-3963

REFERENCES
url:http://seclists.org/fulldisclosure/2013/jun/84
Trust: 2.8
url:http://www.secunia.com/advisories/53763/
Trust: 1.2
url:http://packetstormsecurity.com/files/122004/grandstream-backdoor-cross-site-request-forgery-cross-site-scripting.html
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3963
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3963
Trust: 0.8
url:http://www.securityfocus.com/bid/60532
Trust: 0.6
url:http://www.grandstream.com/index.php/products/ip-video-surveillance
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2013-3963
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3542
Trust: 0.1
url:http://xx.xx.xx.xx/<script>alert(123)</script>
Trust: 0.1
url:http://xx.xx.xx.xx/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3962
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-08565 // 
            
            
            
            CNVD: CNVD-2013-08564 // 
            
            
            
            VULHUB: VHN-63965 // 
            
            
            
            BID: 60532 // 
            
            
            
            JVNDB: JVNDB-2013-004459 // 
            
            
            
            PACKETSTORM: 122004 // 
            
            
            
            CNNVD: CNNVD-201306-258 // 
            
            
            
            NVD: CVE-2013-3963

CREDITS
JonAis Ropero Castillo
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201306-258

SOURCES
db:CNVDid:CNVD-2013-08565
db:CNVDid:CNVD-2013-08564
db:VULHUBid:VHN-63965
db:BIDid:60532
db:JVNDBid:JVNDB-2013-004459
db:PACKETSTORMid:122004
db:CNNVDid:CNNVD-201306-258
db:NVDid:CVE-2013-3963

LAST UPDATE DATE
2024-11-23T19:42:20.052000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-08565date:2013-07-03T00:00:00
db:CNVDid:CNVD-2013-08564date:2013-07-03T00:00:00
db:VULHUBid:VHN-63965date:2013-10-02T00:00:00
db:BIDid:60532date:2013-06-12T00:00:00
db:JVNDBid:JVNDB-2013-004459date:2013-10-04T00:00:00
db:CNNVDid:CNNVD-201306-258date:2013-10-16T00:00:00
db:NVDid:CVE-2013-3963date:2024-11-21T01:54:38.043

SOURCES RELEASE DATE
db:CNVDid:CNVD-2013-08565date:2013-07-02T00:00:00
db:CNVDid:CNVD-2013-08564date:2013-07-02T00:00:00
db:VULHUBid:VHN-63965date:2013-10-01T00:00:00
db:BIDid:60532date:2013-06-12T00:00:00
db:JVNDBid:JVNDB-2013-004459date:2013-10-04T00:00:00
db:PACKETSTORMid:122004date:2013-06-13T06:12:41
db:CNNVDid:CNNVD-201306-258date:2013-06-18T00:00:00
db:NVDid:CVE-2013-3963date:2013-10-01T19:55:09.443