Sign-up

ID

VAR-201606-0263


CVE

CVE-2015-8288


TITLE

Netgear D6000 and D3600 contain hard-coded cryptographic keys and are vulnerable to authentication bypass

Trust: 0.8

sources: CERT/CC: VU#778696

DESCRIPTION

NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with firmware 1.0.0.49 and earlier use the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation. Supplementary information : CWE Vulnerability type by CWE-321: Use of Hard-coded Cryptographic Key ( Using hard-coded encryption keys ) Has been identified. http://cwe.mitre.org/data/definitions/321.htmlIf a third party uses key information from another installation, the cryptographic protection mechanism may be broken. The Netgear D6000 and D3600 are wireless router products for NETGEAR. An attacker can exploit these issues to bypass the authentication mechanism, obtain sensitive information. This may aid in further attacks. NetGear D3600 firmware versions 1.0.0.49 and prior

Trust: 3.24

sources: NVD: CVE-2015-8288 // CERT/CC: VU#778696 // JVNDB: JVNDB-2015-007204 // CNVD: CNVD-2016-04206 // BID: 91153 // VULHUB: VHN-86249

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-04206

AFFECTED PRODUCTS

vendor:netgearmodel:d3600scope:eqversion:1.0.0.49

Trust: 2.2

vendor:netgearmodel:d6000scope:lteversion:1.0.0.49

Trust: 1.0

vendor:netgearmodel: - scope: - version: -

Trust: 0.8

vendor:net gearmodel:d3600scope: - version: -

Trust: 0.8

vendor:net gearmodel:d3600scope:eqversion:1.0.0.49

Trust: 0.8

vendor:net gearmodel:d6000scope: - version: -

Trust: 0.8

vendor:net gearmodel:d6000scope:lteversion:1.0.0.49

Trust: 0.8

vendor:netgearmodel:d6000scope:lteversion:<=1.0.0.49

Trust: 0.6

vendor:netgearmodel:d6000scope:eqversion:1.0.0.49

Trust: 0.6

sources: CERT/CC: VU#778696 // CNVD: CNVD-2016-04206 // JVNDB: JVNDB-2015-007204 // CNNVD: CNNVD-201606-232 // NVD: CVE-2015-8288

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-8288
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-8288
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-04206
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201606-232
value: MEDIUM

Trust: 0.6

VULHUB: VHN-86249
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-8288
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-04206
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-86249
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-8288
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-04206 // VULHUB: VHN-86249 // JVNDB: JVNDB-2015-007204 // CNNVD: CNNVD-201606-232 // NVD: CVE-2015-8288

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-007204 // NVD: CVE-2015-8288

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201606-232

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201606-232

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-007204

PATCH
title:CVE-2015-8288 - Use of Hard-coded Cryptographic Keyurl:http://kb.netgear.com/app/answers/detail/a_id/30560
Trust: 0.8
title:Patch for NetgearD6000 and D3600 hardcoded RSA keyholesurl:https://www.cnvd.org.cn/patchInfo/show/77919
Trust: 0.6
title:Netgear D6000  and D3600 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=62187
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-04206 // 
            
            
            
            JVNDB: JVNDB-2015-007204 // 
            
            
            
            CNNVD: CNNVD-201606-232

EXTERNAL IDS
db:CERT/CCid:VU#778696
Trust: 3.9
db:NVDid:CVE-2015-8288
Trust: 3.4
db:JVNid:JVNVU94303845
Trust: 0.8
db:JVNDBid:JVNDB-2015-007204
Trust: 0.8
db:CNNVDid:CNNVD-201606-232
Trust: 0.7
db:CNVDid:CNVD-2016-04206
Trust: 0.6
db:BIDid:91153
Trust: 0.3
db:VULHUBid:VHN-86249
Trust: 0.1
sources:
            
            
            CERT/CC: VU#778696 // 
            
            
            
            CNVD: CNVD-2016-04206 // 
            
            
            
            VULHUB: VHN-86249 // 
            
            
            
            BID: 91153 // 
            
            
            
            JVNDB: JVNDB-2015-007204 // 
            
            
            
            CNNVD: CNNVD-201606-232 // 
            
            
            
            NVD: CVE-2015-8288

REFERENCES
url:http://www.kb.cert.org/vuls/id/778696
Trust: 3.1
url:http://kb.netgear.com/app/answers/detail/a_id/30560
Trust: 2.5
url:http://kb.netgear.com/app/answers/detail/a_id/30490
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8288
Trust: 0.8
url:http://jvn.jp/vu/jvnvu94303845/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-8288
Trust: 0.8
url:http://www.netgear.com
Trust: 0.3
sources:
            
            
            CERT/CC: VU#778696 // 
            
            
            
            CNVD: CNVD-2016-04206 // 
            
            
            
            VULHUB: VHN-86249 // 
            
            
            
            BID: 91153 // 
            
            
            
            JVNDB: JVNDB-2015-007204 // 
            
            
            
            CNNVD: CNNVD-201606-232 // 
            
            
            
            NVD: CVE-2015-8288

CREDITS
Mandar Jadhav of Qualys
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201606-232

SOURCES
db:CERT/CCid:VU#778696
db:CNVDid:CNVD-2016-04206
db:VULHUBid:VHN-86249
db:BIDid:91153
db:JVNDBid:JVNDB-2015-007204
db:CNNVDid:CNNVD-201606-232
db:NVDid:CVE-2015-8288

LAST UPDATE DATE
2024-11-23T22:07:49.353000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#778696date:2016-07-01T00:00:00
db:CNVDid:CNVD-2016-04206date:2016-06-22T00:00:00
db:VULHUBid:VHN-86249date:2016-06-21T00:00:00
db:BIDid:91153date:2016-06-10T00:00:00
db:JVNDBid:JVNDB-2015-007204date:2016-06-22T00:00:00
db:CNNVDid:CNNVD-201606-232date:2016-06-21T00:00:00
db:NVDid:CVE-2015-8288date:2024-11-21T02:38:14.440

SOURCES RELEASE DATE
db:CERT/CCid:VU#778696date:2016-06-10T00:00:00
db:CNVDid:CNVD-2016-04206date:2016-06-22T00:00:00
db:VULHUBid:VHN-86249date:2016-06-20T00:00:00
db:BIDid:91153date:2016-06-10T00:00:00
db:JVNDBid:JVNDB-2015-007204date:2016-06-22T00:00:00
db:CNNVDid:CNNVD-201606-232date:2016-06-12T00:00:00
db:NVDid:CVE-2015-8288date:2016-06-20T01:59:00.133