Sign-up

ID

VAR-201801-0537


CVE

CVE-2017-15655


TITLE

Asus asuswrt Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-012291

DESCRIPTION

Multiple buffer overflow vulnerabilities exist in the HTTPd server in Asus asuswrt version <=3.0.0.4.376.X. All have been fixed in version 3.0.0.4.378, but this vulnerability was not previously disclosed. Some end-of-life routers have this version as the newest and thus are vulnerable at this time. This vulnerability allows for RCE with administrator rights when the administrator visits several pages. Asus asuswrt Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUSWRT is the unified firmware used by ASUS in its latest routers and is the web-based graphical user interface of the ASUS router. An attacker could exploit the vulnerability to remotely execute code with administrator privileges. HTTPd server is one of the HTTP servers

Trust: 2.25

sources: NVD: CVE-2017-15655 // JVNDB: JVNDB-2017-012291 // CNVD: CNVD-2018-02920 // VULHUB: VHN-106499

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-02920

AFFECTED PRODUCTS

vendor:asusmodel:asuswrtscope:ltversion:3.0.0.4.378

Trust: 1.0

vendor:asustek computermodel:asuswrtscope:lteversion:3.0.0.4.376.x

Trust: 0.8

vendor:asusmodel:asuswrtscope:lteversion:<=3.0.0.4.376.x

Trust: 0.6

sources: CNVD: CNVD-2018-02920 // JVNDB: JVNDB-2017-012291 // NVD: CVE-2017-15655

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-15655
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-15655
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2018-02920
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201710-1109
value: CRITICAL

Trust: 0.6

VULHUB: VHN-106499
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-15655
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-02920
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-106499
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-15655
baseSeverity: CRITICAL
baseScore: 9.6
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 6.0
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-02920 // VULHUB: VHN-106499 // JVNDB: JVNDB-2017-012291 // CNNVD: CNNVD-201710-1109 // NVD: CVE-2017-15655

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-106499 // JVNDB: JVNDB-2017-012291 // NVD: CVE-2017-15655

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-1109

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201710-1109

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012291

PATCH
title:ASUSWRTurl:https://www.asus.com/ASUSWRT/
Trust: 0.8
title:Patch for Asusasuswrt Buffer Overflow Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/115867
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-02920 // 
            
            
            
            JVNDB: JVNDB-2017-012291

EXTERNAL IDS
db:NVDid:CVE-2017-15655
Trust: 3.2
db:PACKETSTORMid:145921
Trust: 1.8
db:JVNDBid:JVNDB-2017-012291
Trust: 0.8
db:CNNVDid:CNNVD-201710-1109
Trust: 0.7
db:CNVDid:CNVD-2018-02920
Trust: 0.6
db:VULHUBid:VHN-106499
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-02920 // 
            
            
            
            VULHUB: VHN-106499 // 
            
            
            
            JVNDB: JVNDB-2017-012291 // 
            
            
            
            PACKETSTORM: 145921 // 
            
            
            
            CNNVD: CNNVD-201710-1109 // 
            
            
            
            NVD: CVE-2017-15655

REFERENCES
url:http://seclists.org/fulldisclosure/2018/jan/63
Trust: 2.5
url:http://packetstormsecurity.com/files/145921/asuswrt-3.0.0.4.382.18495-session-hijacking-information-disclosure.html
Trust: 1.7
url:http://sploit.tech/2018/01/16/asus-part-i.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-15655
Trust: 1.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15655
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-15654
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-15656
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-15653
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-02920 // 
            
            
            
            VULHUB: VHN-106499 // 
            
            
            
            JVNDB: JVNDB-2017-012291 // 
            
            
            
            PACKETSTORM: 145921 // 
            
            
            
            CNNVD: CNNVD-201710-1109 // 
            
            
            
            NVD: CVE-2017-15655

CREDITS
Blazej Adamczyk
Trust: 0.1
sources:
            
            
            PACKETSTORM: 145921

SOURCES
db:CNVDid:CNVD-2018-02920
db:VULHUBid:VHN-106499
db:JVNDBid:JVNDB-2017-012291
db:PACKETSTORMid:145921
db:CNNVDid:CNNVD-201710-1109
db:NVDid:CVE-2017-15655

LAST UPDATE DATE
2024-11-23T22:30:32.228000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-02920date:2018-02-07T00:00:00
db:VULHUBid:VHN-106499date:2018-02-21T00:00:00
db:JVNDBid:JVNDB-2017-012291date:2018-03-06T00:00:00
db:CNNVDid:CNNVD-201710-1109date:2018-02-01T00:00:00
db:NVDid:CVE-2017-15655date:2024-11-21T03:14:58.203

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-02920date:2018-02-07T00:00:00
db:VULHUBid:VHN-106499date:2018-01-31T00:00:00
db:JVNDBid:JVNDB-2017-012291date:2018-03-06T00:00:00
db:PACKETSTORMid:145921date:2018-01-16T04:44:44
db:CNNVDid:CNNVD-201710-1109date:2017-10-24T00:00:00
db:NVDid:CVE-2017-15655date:2018-01-31T20:29:00.350