Sign-up

ID

VAR-201704-0303


CVE

CVE-2016-1555


TITLE

plural Netgear Vulnerability to execute arbitrary commands in the product

Trust: 0.8

sources: JVNDB: JVNDB-2016-008523

DESCRIPTION

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands. Netgear is the world's leading enterprise network solution and advocate for digital home networking applications. There are authentication bypass vulnerabilities in Netgear's various devices. Attackers exploit vulnerabilities to directly pass input command lines on unverified web pages and initiate command injection attacks. Security vulnerabilities exist in multiple files in several Netgear products. The following products and versions are affected: Netgear WN604 prior to 3.3.3; WN802Tv2 prior to 3.5.5.0; WNAP210v2 prior to 3.5.5.0; WNAP320 prior to 3.5.5.0; WNDAP350 prior to 3.5.5.0; WNDAP360 prior to 3.5 Versions prior to .5.0; versions prior to WNDAP660 3.5.5.0. Hello, We’d like to report several vulnerabilities in embedded devices developed by D-Link and Netgear, which were discovered using our FIRMADYNE framework for emulation and dynamic analysis of Linux-based embedded devices. For more information, refer to our academic paper and open-source release at https://github.com/firmadyne/firmadyne. This has been assigned CVE-2016-1555. Affected devices include: Netgear WN604 Netgear WN802Tv2 Netgear WNAP210 Netgear WNAP320 Netgear WNDAP350 Netgear WNDAP360 Several D-Link devices include a web server that is vulnerable to a buffer overflow while parsing the 'dlink_uid' cookie. The length of the value set in the cookie is obtained using strlen(), which is then passed to memcpy(), and the value is copied into a fixed-size buffer. This has been assigned CVE-2016-1558. Affected devices include: D-Link DAP-2310 D-Link DAP-2330 D-Link DAP-2360 D-Link DAP-2553 D-Link DAP-2660 D-Link DAP-2690 D-Link DAP-2695 Several Netgear devices include unauthenticated webpages that disclose the wireless WPS PIN, allowing for information disclosure. This has been assigned CVE-2016-1556. Affected devices include: Netgear WN604 Netgear WNAP210 Netgear WNAP320 Netgear WND930 Netgear WNDAP350 Netgear WNDAP360 Several devices by both D-Link and Netgear disclose wireless passwords and administrative usernames/passwords over SNMP, including OID’s iso.3.6.1.4.1.171.10.37.35.2.1.3.3.2.1.1.4, iso.3.6.1.4.1.171.10.37.38.2.1.3.3.2.1.1.4, iso.3.6.1.4.1.171.10.37.35.4.1.1.1, iso.3.6.1.4.1.171.10.37.37.4.1.1.1, iso.3.6.1.4.1.171.10.37.38.4.1.1.1, iso.3.6.1.4.1.4526.100.7.8.1.5, iso.3.6.1.4.1.4526.100.7.9.1.5, iso.3.6.1.4.1.4526.100.7.9.1.7, and iso.3.6.1.4.1.4526.100.7.10.1.7. This has been assigned CVE-2016-1557 for Netgear devices, and CVE-2016-1559 for D-Link devices. Affected devices include: D-Link DAP-1353 D-Link DAP-2553 D-Link DAP-3520 Netgear WNAP320 Netgear WNDAP350 Netgear WNDAP360 We have not heard back from D-Link after contacting the vendor. Netgear will fix WN604 with firmware 3.3.3 by late February, but the tentative ETA for the remaining devices is mid-March. Thanks, Dominic

Trust: 2.43

sources: NVD: CVE-2016-1555 // JVNDB: JVNDB-2016-008523 // CNVD: CNVD-2016-01687 // VULHUB: VHN-90374 // VULMON: CVE-2016-1555 // PACKETSTORM: 135956

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-01687

AFFECTED PRODUCTS

vendor:netgearmodel:wn604scope:lteversion:3.3.2

Trust: 1.0

vendor:netgearmodel:wndap210v2scope:lteversion:3.0.5.0

Trust: 1.0

vendor:netgearmodel:wn802tv2scope:lteversion:3.0.5.0

Trust: 1.0

vendor:netgearmodel:wndap360scope:lteversion:3.0.5.0

Trust: 1.0

vendor:netgearmodel:wndap350scope:lteversion:3.0.5.0

Trust: 1.0

vendor:netgearmodel:wndap660scope:lteversion:3.0.5.0

Trust: 1.0

vendor:netgearmodel:wnap320scope:lteversion:3.0.5.0

Trust: 1.0

vendor:net gearmodel:wn604scope:ltversion:3.3.3

Trust: 0.8

vendor:net gearmodel:wn802tv2scope:ltversion:3.5.5.0

Trust: 0.8

vendor:net gearmodel:wnap210v2scope:ltversion:3.5.5.0

Trust: 0.8

vendor:net gearmodel:wnap320scope:ltversion:3.5.5.0

Trust: 0.8

vendor:net gearmodel:wndap350scope:ltversion:3.5.5.0

Trust: 0.8

vendor:net gearmodel:wndap360scope:ltversion:3.5.5.0

Trust: 0.8

vendor:net gearmodel:wndap660scope:ltversion:3.5.5.0

Trust: 0.8

vendor:netgearmodel:wn604scope: - version: -

Trust: 0.6

vendor:netgearmodel:wn802tv2scope: - version: -

Trust: 0.6

vendor:netgearmodel:wnap210scope: - version: -

Trust: 0.6

vendor:netgearmodel:wnap320scope: - version: -

Trust: 0.6

vendor:netgearmodel:wndap350scope: - version: -

Trust: 0.6

vendor:netgearmodel:wndap360scope: - version: -

Trust: 0.6

vendor:netgearmodel:wndap360scope:eqversion:3.0.5.0

Trust: 0.6

vendor:netgearmodel:wn604scope:eqversion:3.3.2

Trust: 0.6

vendor:netgearmodel:wndap210v2scope:eqversion:3.0.5.0

Trust: 0.6

vendor:netgearmodel:wndap660scope:eqversion:3.0.5.0

Trust: 0.6

vendor:netgearmodel:wndap350scope:eqversion:3.0.5.0

Trust: 0.6

vendor:netgearmodel:wn802tv2scope:eqversion:3.0.5.0

Trust: 0.6

vendor:netgearmodel:wnap320scope:eqversion:3.0.5.0

Trust: 0.6

sources: CNVD: CNVD-2016-01687 // JVNDB: JVNDB-2016-008523 // CNNVD: CNNVD-201604-397 // NVD: CVE-2016-1555

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-1555
value: CRITICAL

Trust: 1.0

NVD: CVE-2016-1555
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2016-01687
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201604-397
value: CRITICAL

Trust: 0.6

VULHUB: VHN-90374
value: HIGH

Trust: 0.1

VULMON: CVE-2016-1555
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2016-1555
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2016-01687
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-90374
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-1555
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-01687 // VULHUB: VHN-90374 // VULMON: CVE-2016-1555 // JVNDB: JVNDB-2016-008523 // CNNVD: CNNVD-201604-397 // NVD: CVE-2016-1555

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.9

sources: VULHUB: VHN-90374 // JVNDB: JVNDB-2016-008523 // NVD: CVE-2016-1555

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-397

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201604-397

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-008523

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-90374

PATCH
title:CVE-2016-1555 - Notificationurl:https://kb.netgear.com/30480/CVE-2016-1555-Notification
Trust: 0.8
title:Multiple Netgear Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91631
Trust: 0.6
title:faisalfs10xurl:https://github.com/faisalfs10x/faisalfs10x 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2016-1555 // 
            
            
            
            JVNDB: JVNDB-2016-008523 // 
            
            
            
            CNNVD: CNNVD-201604-397

EXTERNAL IDS
db:NVDid:CVE-2016-1555
Trust: 3.3
db:PACKETSTORMid:135956
Trust: 2.7
db:EXPLOIT-DBid:45909
Trust: 1.8
db:JVNDBid:JVNDB-2016-008523
Trust: 0.8
db:CNNVDid:CNNVD-201604-397
Trust: 0.7
db:CNVDid:CNVD-2016-01687
Trust: 0.6
db:PACKETSTORMid:150478
Trust: 0.1
db:VULHUBid:VHN-90374
Trust: 0.1
db:VULMONid:CVE-2016-1555
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01687 // 
            
            
            
            VULHUB: VHN-90374 // 
            
            
            
            VULMON: CVE-2016-1555 // 
            
            
            
            JVNDB: JVNDB-2016-008523 // 
            
            
            
            PACKETSTORM: 135956 // 
            
            
            
            CNNVD: CNNVD-201604-397 // 
            
            
            
            NVD: CVE-2016-1555

REFERENCES
url:http://packetstormsecurity.com/files/135956/d-link-netgear-firmadyne-command-injection-buffer-overflow.html
Trust: 2.6
url:http://seclists.org/fulldisclosure/2016/feb/112
Trust: 2.4
url:https://kb.netgear.com/30480/cve-2016-1555-notification?cid=wmt_netgear_organic
Trust: 1.8
url:https://www.exploit-db.com/exploits/45909/
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2016-1555
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1555
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/77.html
Trust: 0.1
url:https://github.com/faisalfs10x/faisalfs10x
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.rapid7.com/db/modules/exploit/linux/http/netgear_unauth_exec
Trust: 0.1
url:https://github.com/firmadyne/firmadyne.
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-1557
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-1559
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-1558
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-01687 // 
            
            
            
            VULHUB: VHN-90374 // 
            
            
            
            VULMON: CVE-2016-1555 // 
            
            
            
            JVNDB: JVNDB-2016-008523 // 
            
            
            
            PACKETSTORM: 135956 // 
            
            
            
            CNNVD: CNNVD-201604-397 // 
            
            
            
            NVD: CVE-2016-1555

CREDITS
Dominic Chen
Trust: 0.1
sources:
            
            
            PACKETSTORM: 135956

SOURCES
db:CNVDid:CNVD-2016-01687
db:VULHUBid:VHN-90374
db:VULMONid:CVE-2016-1555
db:JVNDBid:JVNDB-2016-008523
db:PACKETSTORMid:135956
db:CNNVDid:CNNVD-201604-397
db:NVDid:CVE-2016-1555

LAST UPDATE DATE
2024-08-14T14:13:31.373000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-01687date:2016-03-16T00:00:00
db:VULHUBid:VHN-90374date:2019-04-16T00:00:00
db:VULMONid:CVE-2016-1555date:2019-04-16T00:00:00
db:JVNDBid:JVNDB-2016-008523date:2017-05-29T00:00:00
db:CNNVDid:CNNVD-201604-397date:2019-04-17T00:00:00
db:NVDid:CVE-2016-1555date:2019-04-16T18:00:19.893

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-01687date:2016-03-16T00:00:00
db:VULHUBid:VHN-90374date:2017-04-21T00:00:00
db:VULMONid:CVE-2016-1555date:2017-04-21T00:00:00
db:JVNDBid:JVNDB-2016-008523date:2017-05-29T00:00:00
db:PACKETSTORMid:135956date:2016-02-26T17:22:22
db:CNNVDid:CNNVD-201604-397date:2016-03-01T00:00:00
db:NVDid:CVE-2016-1555date:2017-04-21T15:59:00.333