ID

VAR-201604-0383


CVE

CVE-2016-1168


TITLE

NEC Aterm WF800HP Cross-Site Request Forgery Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-01964 // CNNVD: CNNVD-201603-430

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability on NEC Aterm WF800HP devices with firmware 1.0.17 and earlier allows remote attackers to hijack the authentication of arbitrary users. Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, unintended operations may be performed. NECAtermWF800HP is a wireless router product from NEC. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Aterm WF800HP 1.0.17 is vulnerable; other versions may also be affected

Trust: 2.52

sources: NVD: CVE-2016-1168 // JVNDB: JVNDB-2016-000035 // CNVD: CNVD-2016-01964 // BID: 85740 // VULHUB: VHN-89987

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-01964

AFFECTED PRODUCTS

vendor:atermmodel:wf800hpscope:lteversion:1.0.17

Trust: 1.0

vendor:necmodel:aterm wf800hpscope:lteversion:firmware ver1.0.17

Trust: 0.8

vendor:necmodel:aterm wf800hpscope:eqversion:1.0.17

Trust: 0.6

vendor:atermmodel:wf800hpscope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2016-01964 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430 // NVD: CVE-2016-1168

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1168
value: HIGH

Trust: 1.0

IPA: JVNDB-2016-000035
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-01964
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201603-430
value: MEDIUM

Trust: 0.6

VULHUB: VHN-89987
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-1168
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2016-000035
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2016-01964
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-89987
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1168
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

IPA: JVNDB-2016-000035
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2016-01964 // VULHUB: VHN-89987 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430 // NVD: CVE-2016-1168

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-89987 // JVNDB: JVNDB-2016-000035 // NVD: CVE-2016-1168

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201603-430

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201603-430

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-000035

PATCH

title:Aterm Security Advisory [Update:2016/04/06]url:http://www.aterm.jp/support/tech/2016/0330.html

Trust: 0.8

title:NV16-004url:http://jpn.nec.com/security-info/secinfo/nv16-004.html

Trust: 0.8

title:NECAtermWF800HP cross-site request forgery vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/73504

Trust: 0.6

title:NEC Aterm WF800HP Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60724

Trust: 0.6

sources: CNVD: CNVD-2016-01964 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430

EXTERNAL IDS

db:NVDid:CVE-2016-1168

Trust: 3.4

db:JVNid:JVN07818796

Trust: 3.1

db:JVNDBid:JVNDB-2016-000035

Trust: 3.1

db:CNNVDid:CNNVD-201603-430

Trust: 0.7

db:CNVDid:CNVD-2016-01964

Trust: 0.6

db:BIDid:85740

Trust: 0.4

db:VULHUBid:VHN-89987

Trust: 0.1

sources: CNVD: CNVD-2016-01964 // VULHUB: VHN-89987 // BID: 85740 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430 // NVD: CVE-2016-1168

REFERENCES

url:http://jvn.jp/en/jp/jvn07818796/index.html

Trust: 3.1

url:http://jpn.nec.com/security-info/secinfo/nv16-004.html

Trust: 1.7

url:http://jvndb.jvn.jp/jvndb/jvndb-2016-000035

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1168

Trust: 0.8

url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1168

Trust: 0.8

url:http://jvndb.jvn.jp/en/contents/2016/jvndb-2016-000035.html

Trust: 0.6

sources: CNVD: CNVD-2016-01964 // VULHUB: VHN-89987 // JVNDB: JVNDB-2016-000035 // CNNVD: CNNVD-201603-430 // NVD: CVE-2016-1168

CREDITS

Satoshi Ogawa of Mitsui Bussan Secure Directions,Inc.

Trust: 0.9

sources: BID: 85740 // CNNVD: CNNVD-201603-430

SOURCES

db:CNVDid:CNVD-2016-01964
db:VULHUBid:VHN-89987
db:BIDid:85740
db:JVNDBid:JVNDB-2016-000035
db:CNNVDid:CNNVD-201603-430
db:NVDid:CVE-2016-1168

LAST UPDATE DATE

2024-08-14T14:27:27.209000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2016-01964date:2016-04-01T00:00:00
db:VULHUBid:VHN-89987date:2016-04-01T00:00:00
db:BIDid:85740date:2016-03-30T00:00:00
db:JVNDBid:JVNDB-2016-000035date:2016-04-18T00:00:00
db:CNNVDid:CNNVD-201603-430date:2016-04-05T00:00:00
db:NVDid:CVE-2016-1168date:2016-04-01T18:16:50.330

SOURCES RELEASE DATE

db:CNVDid:CNVD-2016-01964date:2016-04-01T00:00:00
db:VULHUBid:VHN-89987date:2016-04-01T00:00:00
db:BIDid:85740date:2016-03-30T00:00:00
db:JVNDBid:JVNDB-2016-000035date:2016-03-30T00:00:00
db:CNNVDid:CNNVD-201603-430date:2016-03-31T00:00:00
db:NVDid:CVE-2016-1168date:2016-04-01T14:59:01.483