Details of VAR-201801-1393

ID

VAR-201801-1393

CVE

CVE-2018-5999

TITLE

AsusWRT Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-001660

DESCRIPTION

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails. AsusWRT Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS AsusWRT is a router operating system developed by ASUS. There is a security vulnerability in the 'handle_request' function of the router/httpd/httpd.c file in ASUS AsusWRT versions earlier than 3.0.0.4.384_10007. An attacker can exploit this vulnerability to execute a POST request

Trust: 1.8

sources: NVD: CVE-2018-5999 // JVNDB: JVNDB-2018-001660 // VULHUB: VHN-136031 // VULMON: CVE-2018-5999

AFFECTED PRODUCTS

vendor:	asus	model:	asuswrt	scope:	lt	version:	3.0.0.4.384_10007	Trust: 1.0
vendor:	asustek computer	model:	asuswrt	scope:	lt	version:	3.0.0.4.384_10007	Trust: 0.8

sources: JVNDB: JVNDB-2018-001660 // NVD: CVE-2018-5999

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-5999
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2018-5999
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201801-852
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-136031
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-5999
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-5999
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-136031
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-5999
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-136031 // VULMON: CVE-2018-5999 // JVNDB: JVNDB-2018-001660 // CNNVD: CNNVD-201801-852 // NVD: CVE-2018-5999

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-136031 // JVNDB: JVNDB-2018-001660 // NVD: CVE-2018-5999

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-852

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201801-852

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001660

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-136031 // VULMON: CVE-2018-5999

PATCH

title:	ASUSWRT	url:	https://www.asus.com/ASUSWRT/	Trust: 0.8
title:	ASUS AsusWRT Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78011	Trust: 0.6
title:	Threatpost	url:	https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/	Trust: 0.1

sources: VULMON: CVE-2018-5999 // JVNDB: JVNDB-2018-001660 // CNNVD: CNNVD-201801-852

EXTERNAL IDS

db:	NVD	id:	CVE-2018-5999	Trust: 2.6
db:	EXPLOIT-DB	id:	43881	Trust: 1.8
db:	EXPLOIT-DB	id:	44176	Trust: 1.8
db:	JVNDB	id:	JVNDB-2018-001660	Trust: 0.8
db:	CNNVD	id:	CNNVD-201801-852	Trust: 0.7
db:	PACKETSTORM	id:	146102	Trust: 0.1
db:	PACKETSTORM	id:	146560	Trust: 0.1
db:	VULHUB	id:	VHN-136031	Trust: 0.1
db:	VULMON	id:	CVE-2018-5999	Trust: 0.1

sources: VULHUB: VHN-136031 // VULMON: CVE-2018-5999 // JVNDB: JVNDB-2018-001660 // CNNVD: CNNVD-201801-852 // NVD: CVE-2018-5999

REFERENCES

url:	https://blogs.securiteam.com/index.php/archives/3589	Trust: 2.6
url:	https://www.exploit-db.com/exploits/43881/	Trust: 1.9
url:	https://www.exploit-db.com/exploits/44176/	Trust: 1.8
url:	https://github.com/pedrib/poc/blob/master/advisories/asuswrt-lan-rce.txt	Trust: 1.8
url:	https://raw.githubusercontent.com/pedrib/poc/master/exploits/metasploit/asuswrt_lan_rce.rb	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5999	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-5999	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/asus-patches-root-command-execution-flaws-haunting-over-a-dozen-router-models/129666/	Trust: 0.1

sources: VULHUB: VHN-136031 // VULMON: CVE-2018-5999 // JVNDB: JVNDB-2018-001660 // CNNVD: CNNVD-201801-852 // NVD: CVE-2018-5999

SOURCES

db:	VULHUB	id:	VHN-136031
db:	VULMON	id:	CVE-2018-5999
db:	JVNDB	id:	JVNDB-2018-001660
db:	CNNVD	id:	CNNVD-201801-852
db:	NVD	id:	CVE-2018-5999

LAST UPDATE DATE

2024-08-14T14:26:54.099000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-136031	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-5999	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-001660	date:	2018-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201801-852	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-5999	date:	2019-10-03T00:03:26.223

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-136031	date:	2018-01-22T00:00:00
db:	VULMON	id:	CVE-2018-5999	date:	2018-01-22T00:00:00
db:	JVNDB	id:	JVNDB-2018-001660	date:	2018-02-28T00:00:00
db:	CNNVD	id:	CNNVD-201801-852	date:	2018-01-23T00:00:00
db:	NVD	id:	CVE-2018-5999	date:	2018-01-22T20:29:00.227