Details of VAR-201704-0139

ID

VAR-201704-0139

CVE

CVE-2016-5068

TITLE

Sierra Wireless GX 440 Device ALEOS Firmware authentication vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-008300

DESCRIPTION

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not require authentication for Embedded_Ace_Get_Task.cgi requests. Sierra Wireless GX 440 Device ALEOS There are authentication vulnerabilities in the firmware.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. The Sierra Wireless GX440 is a gateway device from Sierra Wireless, Canada. A verification problem vulnerability exists in the SierraWirelessGX440 device using version 4.3.2 ALEOS firmware, which was caused by the program not requesting authentication for Embedded_Ace_Get_Task.cgi. An attacker could exploit this vulnerability to gain root/shell access

Trust: 2.34

sources: NVD: CVE-2016-5068 // JVNDB: JVNDB-2016-008300 // CNVD: CNVD-2017-16018 // VULHUB: VHN-93887 // VULMON: CVE-2016-5068

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-16018

AFFECTED PRODUCTS

vendor:	sierrawireless	model:	aleos	scope:	eq	version:	4.3.2	Trust: 1.6
vendor:	sierra	model:	aleos	scope:	eq	version:	4.3.2	Trust: 0.8
vendor:	sierra	model:	wireless gx	scope:	eq	version:	4404.3.2	Trust: 0.6

sources: CNVD: CNVD-2017-16018 // JVNDB: JVNDB-2016-008300 // CNNVD: CNNVD-201704-507 // NVD: CVE-2016-5068

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5068
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-5068
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-16018
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201704-507
value:	HIGH
Trust: 0.6
VULHUB:	VHN-93887
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-5068
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-5068
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-16018
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-93887
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-5068
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2017-16018 // VULHUB: VHN-93887 // VULMON: CVE-2016-5068 // JVNDB: JVNDB-2016-008300 // CNNVD: CNNVD-201704-507 // NVD: CVE-2016-5068

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-93887 // JVNDB: JVNDB-2016-008300 // NVD: CVE-2016-5068

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-507

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201704-507

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-008300

PATCH

title:

Getting started with AirLink Intelligent Gateways

url:

https://source.sierrawireless.com/airvantage/avc/howto/hardware/airlink_getting_started/

Trust: 0.8

sources: JVNDB: JVNDB-2016-008300

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5068	Trust: 3.2
db:	JVNDB	id:	JVNDB-2016-008300	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-507	Trust: 0.7
db:	CNVD	id:	CNVD-2017-16018	Trust: 0.6
db:	VULHUB	id:	VHN-93887	Trust: 0.1
db:	VULMON	id:	CVE-2016-5068	Trust: 0.1

sources: CNVD: CNVD-2017-16018 // VULHUB: VHN-93887 // VULMON: CVE-2016-5068 // JVNDB: JVNDB-2016-008300 // CNNVD: CNNVD-201704-507 // NVD: CVE-2016-5068

REFERENCES

url:	https://carvesystems.com/sierra-wireless-2016-advisory.html	Trust: 3.2
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5068	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5068	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/287.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-16018 // VULHUB: VHN-93887 // VULMON: CVE-2016-5068 // JVNDB: JVNDB-2016-008300 // CNNVD: CNNVD-201704-507 // NVD: CVE-2016-5068

SOURCES

db:	CNVD	id:	CNVD-2017-16018
db:	VULHUB	id:	VHN-93887
db:	VULMON	id:	CVE-2016-5068
db:	JVNDB	id:	JVNDB-2016-008300
db:	CNNVD	id:	CNNVD-201704-507
db:	NVD	id:	CVE-2016-5068

LAST UPDATE DATE

2024-11-23T22:01:12.071000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-16018	date:	2017-07-24T00:00:00
db:	VULHUB	id:	VHN-93887	date:	2017-04-14T00:00:00
db:	VULMON	id:	CVE-2016-5068	date:	2017-04-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-008300	date:	2017-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201704-507	date:	2017-05-18T00:00:00
db:	NVD	id:	CVE-2016-5068	date:	2024-11-21T02:53:34.257

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-16018	date:	2017-07-24T00:00:00
db:	VULHUB	id:	VHN-93887	date:	2017-04-10T00:00:00
db:	VULMON	id:	CVE-2016-5068	date:	2017-04-10T00:00:00
db:	JVNDB	id:	JVNDB-2016-008300	date:	2017-05-15T00:00:00
db:	CNNVD	id:	CNNVD-201704-507	date:	2017-04-09T00:00:00
db:	NVD	id:	CVE-2016-5068	date:	2017-04-10T03:59:01.653