Sign-up

ID

VAR-201604-0383


CVE

CVE-2016-1168


TITLE

NEC Aterm WF800HP Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-01964 // CNNVD: CNNVD-201603-430

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability on NEC Aterm WF800HP devices with firmware 1.0.17 and earlier allows remote attackers to hijack the authentication of arbitrary users. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be performed. NECAtermWF800HP is a wireless router product from NEC. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Aterm WF800HP 1.0.17 is vulnerable; other versions may also be affected

Trust: 2.52

sources: NVD: CVE-2016-1168 // JVNDB: JVNDB-2016-000035 // CNVD: CNVD-2016-01964 // BID: 85740 // VULHUB: VHN-89987

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-01964

AFFECTED PRODUCTS

vendor:atermmodel:wf800hpscope:lteversion:1.0.17

Trust: 1.0

vendor:necmodel:aterm wf800hpscope:lteversion:firmware ver1.0.17

Trust: 0.8

vendor:necmodel:aterm wf800hpscope:eqversion:1.0.17

Trust: 0.6

vendor:atermmodel:wf800hpscope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2016-01964 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430 // NVD: CVE-2016-1168

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1168
value: HIGH

Trust: 1.0

IPA: JVNDB-2016-000035
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-01964
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201603-430
value: MEDIUM

Trust: 0.6

VULHUB: VHN-89987
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-1168
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2016-000035
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2016-01964
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-89987
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1168
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2016-000035
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2016-01964 // VULHUB: VHN-89987 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430 // NVD: CVE-2016-1168

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-89987 // JVNDB: JVNDB-2016-000035 // NVD: CVE-2016-1168

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201603-430

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201603-430

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-000035

PATCH
title:Aterm Security Advisory [Update:2016/04/06]url:http://www.aterm.jp/support/tech/2016/0330.html
Trust: 0.8
title:NV16-004url:http://jpn.nec.com/security-info/secinfo/nv16-004.html
Trust: 0.8
title:NECAtermWF800HP cross-site request forgery vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/73504
Trust: 0.6
title:NEC Aterm WF800HP Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60724
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-01964 // 
            
            
            
            JVNDB: JVNDB-2016-000035 // 
            
            
            
            CNNVD: CNNVD-201603-430

EXTERNAL IDS
db:NVDid:CVE-2016-1168
Trust: 3.4
db:JVNid:JVN07818796
Trust: 3.1
db:JVNDBid:JVNDB-2016-000035
Trust: 3.1
db:CNNVDid:CNNVD-201603-430
Trust: 0.7
db:CNVDid:CNVD-2016-01964
Trust: 0.6
db:BIDid:85740
Trust: 0.4
db:VULHUBid:VHN-89987
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01964 // 
            
            
            
            VULHUB: VHN-89987 // 
            
            
            
            BID: 85740 // 
            
            
            
            JVNDB: JVNDB-2016-000035 // 
            
            
            
            CNNVD: CNNVD-201603-430 // 
            
            
            
            NVD: CVE-2016-1168

REFERENCES
url:http://jvn.jp/en/jp/jvn07818796/index.html
Trust: 3.1
url:http://jpn.nec.com/security-info/secinfo/nv16-004.html
Trust: 1.7
url:http://jvndb.jvn.jp/jvndb/jvndb-2016-000035
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1168
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1168
Trust: 0.8
url:http://jvndb.jvn.jp/en/contents/2016/jvndb-2016-000035.html
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-01964 // 
            
            
            
            VULHUB: VHN-89987 // 
            
            
            
            JVNDB: JVNDB-2016-000035 // 
            
            
            
            CNNVD: CNNVD-201603-430 // 
            
            
            
            NVD: CVE-2016-1168

CREDITS
Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc.
Trust: 0.9
sources:
            
            
            BID: 85740 // 
            
            
            
            CNNVD: CNNVD-201603-430

SOURCES
db:CNVDid:CNVD-2016-01964
db:VULHUBid:VHN-89987
db:BIDid:85740
db:JVNDBid:JVNDB-2016-000035
db:CNNVDid:CNNVD-201603-430
db:NVDid:CVE-2016-1168

LAST UPDATE DATE
2024-11-23T23:09:12.740000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-01964date:2016-04-01T00:00:00
db:VULHUBid:VHN-89987date:2016-04-01T00:00:00
db:BIDid:85740date:2016-03-30T00:00:00
db:JVNDBid:JVNDB-2016-000035date:2016-04-18T00:00:00
db:CNNVDid:CNNVD-201603-430date:2016-04-05T00:00:00
db:NVDid:CVE-2016-1168date:2024-11-21T02:45:52.987

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-01964date:2016-04-01T00:00:00
db:VULHUBid:VHN-89987date:2016-04-01T00:00:00
db:BIDid:85740date:2016-03-30T00:00:00
db:JVNDBid:JVNDB-2016-000035date:2016-03-30T00:00:00
db:CNNVDid:CNNVD-201603-430date:2016-03-31T00:00:00
db:NVDid:CVE-2016-1168date:2016-04-01T14:59:01.483