Details of VAR-201706-0448

ID

VAR-201706-0448

CVE

CVE-2017-3216

TITLE

Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin

Trust: 0.8

sources: CERT/CC: VU#350135

DESCRIPTION

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to gain administrator access to the device by performing an administrator password change on the device via a crafted POST request. libmtk For httpd Multiple using plug-ins WiMAX The router contains an authentication bypass vulnerability. In particular commit2.cgi Against ADMIN_PASSWD A parameter was set POST You can change the administrator password by sending a request. According to the reporter, some of the surveyed products are initially enabled for remote management. In this case, there is a possibility of being attacked from the Internet side. MediaTek According to the company, the vulnerable file MediaTek SDK It is not included in itself, SDK It is speculated that it was provided by the developer who developed the firmware using. Details of the reporter blog See article. As a result, you may gain administrative privileges on the device. WiMAX (Worldwide Interoperability for Microwave Access) is a communication technology based on the IEEE-802.16 standard and can be used as an alternative to wired broadband services. The following products and versions are affected: ZyXEL MAX338M; ZyXEL MAX318M; ZyXEL MAX308M Version 2.00(UUA.3)D0; ZyXEL MAX218MW Version 2.00(UXD.2)D0; ZyXEL MAX218M1W Version 2.00(UXE.3)D0; ZyXEL MAX218M Version 2.00( UXG.0)D0 version; ZTE OX-330P; Mada Soho Wireless Router 2.10.13; Huawei HES-339M; Huawei HES-319M2W; Huawei HES-319M; Huawei HES-309M; Huawei BM2022 version 2.10.14; Green Packet OX-350

Trust: 3.33

sources: NVD: CVE-2017-3216 // CERT/CC: VU#350135 // JVNDB: JVNDB-2017-003883 // CNVD: CNVD-2017-14427 // BID: 99078 // VULHUB: VHN-111419 // VULMON: CVE-2017-3216

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-14427

AFFECTED PRODUCTS

vendor:	zyxel	model:	max318m	scope:	eq	version:	-	Trust: 1.6
vendor:	zyxel	model:	max218mw	scope:	eq	version:	-	Trust: 1.6
vendor:	zyxel	model:	max218m1w	scope:	eq	version:	-	Trust: 1.6
vendor:	zyxel	model:	max308m fimware	scope:	eq	version:	-	Trust: 1.6
vendor:	zyxel	model:	max218m	scope:	eq	version:	-	Trust: 1.6
vendor:	zyxel	model:	max338m	scope:	eq	version:	-	Trust: 1.6
vendor:	huawei	model:	bm2022	scope:	eq	version:	-	Trust: 1.0
vendor:	huawei	model:	hes-319m2w	scope:	eq	version:	-	Trust: 1.0
vendor:	mada	model:	soho wireless router	scope:	eq	version:	-	Trust: 1.0
vendor:	huawei	model:	hes-319m	scope:	eq	version:	-	Trust: 1.0
vendor:	huawei	model:	hes-339m	scope:	eq	version:	-	Trust: 1.0
vendor:	zte	model:	ox-330p	scope:	eq	version:	-	Trust: 1.0
vendor:	greenpacket	model:	ox350	scope:	eq	version:	-	Trust: 1.0
vendor:	huawei	model:	hes-309m	scope:	eq	version:	-	Trust: 1.0
vendor:	mada	model:	soho wireless router	scope:	eq	version:	2.10.13	Trust: 0.9
vendor:	greenpacket	model:	ox-350	scope:	eq	version:	0	Trust: 0.9
vendor:	greenpacket	model:	ox350	scope:	eq	version:	0	Trust: 0.9
vendor:	huawei	model:	bm2022	scope:	eq	version:	2.10.14	Trust: 0.9
vendor:	huawei	model:	hes-309m	scope:	eq	version:	0	Trust: 0.9
vendor:	huawei	model:	hes-319m	scope:	eq	version:	0	Trust: 0.9
vendor:	huawei	model:	hes-319m2w	scope:	eq	version:	0	Trust: 0.9
vendor:	huawei	model:	hes-339m	scope:	eq	version:	0	Trust: 0.9
vendor:	zte	model:	ox-330p	scope:	eq	version:	0	Trust: 0.9
vendor:	zyxel	model:	max218m 2.00 d0	scope:	-	version:	-	Trust: 0.9
vendor:	zyxel	model:	max218m1w 2.00 d0	scope:	-	version:	-	Trust: 0.9
vendor:	zyxel	model:	max218mw 2.00 d0	scope:	-	version:	-	Trust: 0.9
vendor:	zyxel	model:	max308m 2.00 d0	scope:	-	version:	-	Trust: 0.9
vendor:	zyxel	model:	max318m	scope:	eq	version:	0	Trust: 0.9
vendor:	zyxel	model:	max338m	scope:	eq	version:	0	Trust: 0.9
vendor:	huawei	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	zte	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	zyxel	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	green packet	model:	ox-350	scope:	-	version:	-	Trust: 0.8
vendor:	green packet	model:	ox350	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	bm2022	scope:	eq	version:	(version: v2.10.14)	Trust: 0.8
vendor:	huawei	model:	hes-309m	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	hes-319m	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	hes-319m2w	scope:	-	version:	-	Trust: 0.8
vendor:	huawei	model:	hes-339m	scope:	-	version:	-	Trust: 0.8
vendor:	mada	model:	soho wireless router	scope:	eq	version:	(version: v2.10.13)	Trust: 0.8
vendor:	zte	model:	ox-330p	scope:	-	version:	-	Trust: 0.8
vendor:	zyxel	model:	max218m	scope:	eq	version:	(version: 2.00(uxg.0)d0)	Trust: 0.8
vendor:	zyxel	model:	max218m1w	scope:	eq	version:	(version: 2.00(uxe.3)d0)	Trust: 0.8
vendor:	zyxel	model:	max218mw	scope:	eq	version:	(version: 2.00(uxd.2)d0)	Trust: 0.8
vendor:	zyxel	model:	max308m	scope:	eq	version:	(version: 2.00(uua.3)d0)	Trust: 0.8
vendor:	zyxel	model:	max318m	scope:	-	version:	-	Trust: 0.8
vendor:	zyxel	model:	max338m	scope:	-	version:	-	Trust: 0.8

sources: CERT/CC: VU#350135 // CNVD: CNVD-2017-14427 // BID: 99078 // JVNDB: JVNDB-2017-003883 // CNNVD: CNNVD-201706-793 // NVD: CVE-2017-3216

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-3216
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2017-3216
value:	HIGH
Trust: 0.8
IPA:	JVNDB-2017-003883
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-14427
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201706-793
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-111419
value:	HIGH
Trust: 0.1
VULMON:	CVE-2017-3216
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2017-3216
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	CVE-2017-3216
severity:	HIGH
baseScore:	10.0
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2017-003883
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2017-14427
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-111419
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-3216
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.0
IPA:	JVNDB-2017-003883
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CERT/CC: VU#350135 // CNVD: CNVD-2017-14427 // VULHUB: VHN-111419 // VULMON: CVE-2017-3216 // JVNDB: JVNDB-2017-003883 // CNNVD: CNNVD-201706-793 // NVD: CVE-2017-3216

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.9

sources: VULHUB: VHN-111419 // JVNDB: JVNDB-2017-003883 // NVD: CVE-2017-3216

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-793

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201706-793

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003883

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#350135

PATCH

title:

Threatpost

url:

https://threatpost.com/authentication-bypass-potential-backdoors-plague-old-wimax-routers/126135/

Trust: 0.1

sources: VULMON: CVE-2017-3216

EXTERNAL IDS

db:	CERT/CC	id:	VU#350135	Trust: 3.7
db:	NVD	id:	CVE-2017-3216	Trust: 3.5
db:	BID	id:	99078	Trust: 1.1
db:	JVN	id:	JVNVU92606107	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-003883	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-793	Trust: 0.7
db:	CNVD	id:	CNVD-2017-14427	Trust: 0.6
db:	VULHUB	id:	VHN-111419	Trust: 0.1
db:	VULMON	id:	CVE-2017-3216	Trust: 0.1

sources: CERT/CC: VU#350135 // CNVD: CNVD-2017-14427 // VULHUB: VHN-111419 // VULMON: CVE-2017-3216 // BID: 99078 // JVNDB: JVNDB-2017-003883 // CNNVD: CNNVD-201706-793 // NVD: CVE-2017-3216

REFERENCES

url:	https://sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170607-0_various_wimax_cpes_authentication_bypass_v10.txt	Trust: 3.4
url:	http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.html	Trust: 3.4
url:	http://www.kb.cert.org/vuls/id/350135	Trust: 3.0
url:	http://cwe.mitre.org/data/definitions/306.html	Trust: 0.9
url:	http://www.huawei.com/en/psirt/security-notices/huawei-sn-20170608-01-wimax-en	Trust: 0.8
url:	http://www.zyxel.com/support/announcement_vulnerability_cve_2017_3216.shtml	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3216	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu92606107/index.html	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3216	Trust: 0.8
url:	http://www.securityfocus.com/bid/99078	Trust: 0.7
url:	https://nvd.nist.gov	Trust: 0.1

CREDITS

Stefan Viehböck, SEC Consult Vulnerability Lab

Trust: 0.3

sources: BID: 99078

SOURCES

db:	CERT/CC	id:	VU#350135
db:	CNVD	id:	CNVD-2017-14427
db:	VULHUB	id:	VHN-111419
db:	VULMON	id:	CVE-2017-3216
db:	BID	id:	99078
db:	JVNDB	id:	JVNDB-2017-003883
db:	CNNVD	id:	CNNVD-201706-793
db:	NVD	id:	CVE-2017-3216

LAST UPDATE DATE

2024-11-23T22:17:55.733000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#350135	date:	2017-07-24T00:00:00
db:	CNVD	id:	CNVD-2017-14427	date:	2017-07-17T00:00:00
db:	VULHUB	id:	VHN-111419	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2017-3216	date:	2019-10-09T00:00:00
db:	BID	id:	99078	date:	2017-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-003883	date:	2018-02-07T00:00:00
db:	CNNVD	id:	CNNVD-201706-793	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-3216	date:	2024-11-21T03:25:03.387

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#350135	date:	2017-06-07T00:00:00
db:	CNVD	id:	CNVD-2017-14427	date:	2017-07-14T00:00:00
db:	VULHUB	id:	VHN-111419	date:	2017-06-20T00:00:00
db:	VULMON	id:	CVE-2017-3216	date:	2017-06-20T00:00:00
db:	BID	id:	99078	date:	2017-06-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-003883	date:	2017-06-09T00:00:00
db:	CNNVD	id:	CNNVD-201706-793	date:	2017-06-19T00:00:00
db:	NVD	id:	CVE-2017-3216	date:	2017-06-20T00:29:00.267