ID

VAR-201701-0163


CVE

CVE-2016-10176


TITLE

NETGEAR WNR2000v5 Vulnerability to execute sensitive operations in router

Trust: 0.8

sources: JVNDB: JVNDB-2016-007709

DESCRIPTION

The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server (uhttpd) and processed accordingly. The web server also contains another URL, apply_noauth.cgi, that allows an unauthenticated user to perform sensitive actions on the device. This functionality can be exploited to change the router settings (such as the answers to the password-recovery questions) and achieve remote code execution. NETGEARWNR2000v5router is a popular router device. NETGEARWNR2000v5router has a certification bypass vulnerability. An attacker could exploit this vulnerability to bypass the authentication mechanism and perform unauthorized operations. Netgear WNR2000 is prone to the following vulnerabilities: 1. An authentication-bypass vulnerability 2. Failed exploit attempts will likely cause a denial-of-service condition. Netgear WNR2000 firmware version 5 is affected; other versions may also be affected. A security vulnerability exists in the NETGEAR WNR2000v5 router

Trust: 2.61

sources: NVD: CVE-2016-10176 // JVNDB: JVNDB-2016-007709 // CNVD: CNVD-2017-01223 // BID: 95867 // VULHUB: VHN-88926 // VULMON: CVE-2016-10176

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-01223

AFFECTED PRODUCTS

vendor:net gearmodel:wnr2000v5scope: - version: -

Trust: 1.6

vendor:netgearmodel:wnr2000v5scope:lteversion:1.0.0.34

Trust: 1.0

vendor:netgearmodel:wnr2000scope:eqversion:5

Trust: 0.9

vendor:netgearmodel:wnr2000v5scope:eqversion:1.0.0.34

Trust: 0.6

sources: CNVD: CNVD-2017-01223 // BID: 95867 // JVNDB: JVNDB-2016-007709 // CNNVD: CNNVD-201702-103 // NVD: CVE-2016-10176

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-10176
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-10176
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2017-01223
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201702-103
value: HIGH

Trust: 0.6

VULHUB: VHN-88926
value: HIGH

Trust: 0.1

VULMON: CVE-2016-10176
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-10176
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2017-01223
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-88926
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-10176
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-01223 // VULHUB: VHN-88926 // VULMON: CVE-2016-10176 // JVNDB: JVNDB-2016-007709 // CNNVD: CNNVD-201702-103 // NVD: CVE-2016-10176

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-88926 // JVNDB: JVNDB-2016-007709 // NVD: CVE-2016-10176

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-103

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201702-103

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007709

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-88926 // VULMON: CVE-2016-10176

PATCH

title:Insecure Remote Access and Command Execution Security Vulnerability, PSV-2016-0255url:http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability

Trust: 0.8

title:NETGEARWNR2000v5router authentication bypasses the patch for the vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/89180

Trust: 0.6

title:NETGEAR WNR2000v5 Repair measures for router security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67474

Trust: 0.6

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/routex-malware-uses-netgear-routers-for-credential-stuffing-attacks/

Trust: 0.1

title:BleepingComputerurl:https://www.bleepingcomputer.com/news/security/zyxel-and-netgear-fail-to-patch-seven-security-flaws-affecting-their-routers/

Trust: 0.1

sources: CNVD: CNVD-2017-01223 // VULMON: CVE-2016-10176 // JVNDB: JVNDB-2016-007709 // CNNVD: CNNVD-201702-103

EXTERNAL IDS

db:NVDid:CVE-2016-10176

Trust: 3.5

db:BIDid:95867

Trust: 2.7

db:EXPLOIT-DBid:40949

Trust: 1.2

db:JVNDBid:JVNDB-2016-007709

Trust: 0.8

db:CNNVDid:CNNVD-201702-103

Trust: 0.7

db:CNVDid:CNVD-2017-01223

Trust: 0.6

db:VULHUBid:VHN-88926

Trust: 0.1

db:VULMONid:CVE-2016-10176

Trust: 0.1

sources: CNVD: CNVD-2017-01223 // VULHUB: VHN-88926 // VULMON: CVE-2016-10176 // BID: 95867 // JVNDB: JVNDB-2016-007709 // CNNVD: CNNVD-201702-103 // NVD: CVE-2016-10176

REFERENCES

url:https://raw.githubusercontent.com/pedrib/poc/master/advisories/netgear-wnr2000.txt

Trust: 2.6

url:http://www.securityfocus.com/bid/95867

Trust: 2.4

url:http://kb.netgear.com/000036549/insecure-remote-access-and-command-execution-security-vulnerability

Trust: 1.8

url:http://seclists.org/fulldisclosure/2016/dec/72

Trust: 1.8

url:https://www.exploit-db.com/exploits/40949/

Trust: 1.3

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10176

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-10176

Trust: 0.8

url:http://www.netgear.com

Trust: 0.3

url:http://seclists.org/fulldisclosure/2017/jan/88

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/20.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.bleepingcomputer.com/news/security/routex-malware-uses-netgear-routers-for-credential-stuffing-attacks/

Trust: 0.1

url:https://www.rapid7.com/db/modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery

Trust: 0.1

sources: CNVD: CNVD-2017-01223 // VULHUB: VHN-88926 // VULMON: CVE-2016-10176 // BID: 95867 // JVNDB: JVNDB-2016-007709 // CNNVD: CNNVD-201702-103 // NVD: CVE-2016-10176

CREDITS

Pedro Ribeiro.

Trust: 0.3

sources: BID: 95867

SOURCES

db:CNVDid:CNVD-2017-01223
db:VULHUBid:VHN-88926
db:VULMONid:CVE-2016-10176
db:BIDid:95867
db:JVNDBid:JVNDB-2016-007709
db:CNNVDid:CNNVD-201702-103
db:NVDid:CVE-2016-10176

LAST UPDATE DATE

2024-08-14T14:05:57.382000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2017-01223date:2017-02-12T00:00:00
db:VULHUBid:VHN-88926date:2017-09-03T00:00:00
db:VULMONid:CVE-2016-10176date:2017-09-03T00:00:00
db:BIDid:95867date:2017-02-02T01:03:00
db:JVNDBid:JVNDB-2016-007709date:2017-03-13T00:00:00
db:CNNVDid:CNNVD-201702-103date:2017-02-10T00:00:00
db:NVDid:CVE-2016-10176date:2017-09-03T01:29:03.453

SOURCES RELEASE DATE

db:CNVDid:CNVD-2017-01223date:2017-02-13T00:00:00
db:VULHUBid:VHN-88926date:2017-01-30T00:00:00
db:VULMONid:CVE-2016-10176date:2017-01-30T00:00:00
db:BIDid:95867date:2017-01-30T00:00:00
db:JVNDBid:JVNDB-2016-007709date:2017-03-13T00:00:00
db:CNNVDid:CNNVD-201702-103date:2017-01-29T00:00:00
db:NVDid:CVE-2016-10176date:2017-01-30T04:59:00.250