Sign-up

ID

VAR-201801-0536


CVE

CVE-2017-15654


TITLE

Asus asuswrt Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012290

DESCRIPTION

Highly predictable session tokens in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allow gaining administrative router access. Asus asuswrt Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSWRT is the unified firmware used by ASUS in its latest routers and is the web-based graphical user interface of the ASUS router. An attacker could exploit this vulnerability to gain access to the router administrator. HTTPd server is one of the HTTP servers. The vulnerability is caused by the program generating easily guessable session tokens

Trust: 2.25

sources: NVD: CVE-2017-15654 // JVNDB: JVNDB-2017-012290 // CNVD: CNVD-2018-02919 // VULHUB: VHN-106498

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-02919

AFFECTED PRODUCTS

vendor:asusmodel:asuswrtscope:lteversion:3.0.0.4.380.7743

Trust: 1.0

vendor:asustek computermodel:asuswrtscope:lteversion:3.0.0.4.380.7743

Trust: 0.8

vendor:asusmodel:asuswrtscope:lteversion:<=3.0.0.4.380.7743

Trust: 0.6

vendor:asusmodel:asuswrtscope:eqversion:3.0.0.4.380.7743

Trust: 0.6

sources: CNVD: CNVD-2018-02919 // JVNDB: JVNDB-2017-012290 // CNNVD: CNNVD-201710-1110 // NVD: CVE-2017-15654

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-15654
value: HIGH

Trust: 1.0

NVD: CVE-2017-15654
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-02919
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201710-1110
value: HIGH

Trust: 0.6

VULHUB: VHN-106498
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-15654
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-02919
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-106498
severity: HIGH
baseScore: 7.6
vectorString: AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 4.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-15654
baseSeverity: HIGH
baseScore: 8.3
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 6.0
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-02919 // VULHUB: VHN-106498 // JVNDB: JVNDB-2017-012290 // CNNVD: CNNVD-201710-1110 // NVD: CVE-2017-15654

PROBLEMTYPE DATA

problemtype:CWE-330

Trust: 1.1

problemtype:CWE-284

Trust: 0.9

sources: VULHUB: VHN-106498 // JVNDB: JVNDB-2017-012290 // NVD: CVE-2017-15654

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-1110

TYPE

security feature problem

Trust: 0.6

sources: CNNVD: CNNVD-201710-1110

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012290

PATCH
title:ASUSWRTurl:https://www.asus.com/ASUSWRT/
Trust: 0.8
title:Asusasuswrt session token predictable vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/115869
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-02919 // 
            
            
            
            JVNDB: JVNDB-2017-012290

EXTERNAL IDS
db:NVDid:CVE-2017-15654
Trust: 3.2
db:PACKETSTORMid:145921
Trust: 1.8
db:JVNDBid:JVNDB-2017-012290
Trust: 0.8
db:CNNVDid:CNNVD-201710-1110
Trust: 0.7
db:CNVDid:CNVD-2018-02919
Trust: 0.6
db:VULHUBid:VHN-106498
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-02919 // 
            
            
            
            VULHUB: VHN-106498 // 
            
            
            
            JVNDB: JVNDB-2017-012290 // 
            
            
            
            PACKETSTORM: 145921 // 
            
            
            
            CNNVD: CNNVD-201710-1110 // 
            
            
            
            NVD: CVE-2017-15654

REFERENCES
url:http://seclists.org/fulldisclosure/2018/jan/63
Trust: 2.5
url:http://packetstormsecurity.com/files/145921/asuswrt-3.0.0.4.382.18495-session-hijacking-information-disclosure.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-15654
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15654
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-15656
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-15655
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-15653
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-02919 // 
            
            
            
            VULHUB: VHN-106498 // 
            
            
            
            JVNDB: JVNDB-2017-012290 // 
            
            
            
            PACKETSTORM: 145921 // 
            
            
            
            CNNVD: CNNVD-201710-1110 // 
            
            
            
            NVD: CVE-2017-15654

CREDITS
Blazej Adamczyk
Trust: 0.1
sources:
            
            
            PACKETSTORM: 145921

SOURCES
db:CNVDid:CNVD-2018-02919
db:VULHUBid:VHN-106498
db:JVNDBid:JVNDB-2017-012290
db:PACKETSTORMid:145921
db:CNNVDid:CNNVD-201710-1110
db:NVDid:CVE-2017-15654

LAST UPDATE DATE
2024-11-23T22:30:32.156000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-02919date:2018-02-07T00:00:00
db:VULHUBid:VHN-106498date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-012290date:2018-03-06T00:00:00
db:CNNVDid:CNNVD-201710-1110date:2019-10-23T00:00:00
db:NVDid:CVE-2017-15654date:2024-11-21T03:14:58.057

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-02919date:2018-02-07T00:00:00
db:VULHUBid:VHN-106498date:2018-01-31T00:00:00
db:JVNDBid:JVNDB-2017-012290date:2018-03-06T00:00:00
db:PACKETSTORMid:145921date:2018-01-16T04:44:44
db:CNNVDid:CNNVD-201710-1110date:2017-10-24T00:00:00
db:NVDid:CVE-2017-15654date:2018-01-31T20:29:00.290