Sign-up

ID

VAR-201905-0657


CVE

CVE-2017-18374


TITLE

ZyXEL P660HN-T1A Vulnerabilities related to the use of hard-coded credentials in routers

Trust: 0.8

sources: JVNDB: JVNDB-2017-014433

DESCRIPTION

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes. ZyXEL P660HN-T1A The router contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ZyXEL P660HN-T1A is a wireless router made by ZyXEL, Taiwan, China. There is a trust management issue vulnerability in ZyXEL P660HN-T1A (hardware 2 version, TrueOnline firmware 200AAJS3D0 version). This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components

Trust: 1.71

sources: NVD: CVE-2017-18374 // JVNDB: JVNDB-2017-014433 // VULHUB: VHN-109490

AFFECTED PRODUCTS

vendor:zyxelmodel:p660hn-t1a v2scope:eqversion:7.3.15.0

Trust: 1.0

vendor:billionmodel:5200w-tscope:eqversion:7.3.8.0

Trust: 1.0

vendor:zyxelmodel:p660hn-t1a v1scope:eqversion:7.3.15.0

Trust: 1.0

vendor:billionmodel:5200w-tscope: - version: -

Trust: 0.8

vendor:zyxelmodel:p660hn-t1a v1scope: - version: -

Trust: 0.8

vendor:zyxelmodel:p660hn-t1a v2scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2017-014433 // NVD: CVE-2017-18374

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-18374
value: HIGH

Trust: 1.0

NVD: CVE-2017-18374
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201905-079
value: HIGH

Trust: 0.6

VULHUB: VHN-109490
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-18374
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-109490
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-18374
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-109490 // JVNDB: JVNDB-2017-014433 // CNNVD: CNNVD-201905-079 // NVD: CVE-2017-18374

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-109490 // JVNDB: JVNDB-2017-014433 // NVD: CVE-2017-18374

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-079

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201905-079

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014433

PATCH
title:Top Pageurl:http://www.billion.com.tw/index.aspx
Trust: 0.8
title:Top Pageurl:https://www.zyxel.com/homepage.shtml
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-014433

EXTERNAL IDS
db:NVDid:CVE-2017-18374
Trust: 2.5
db:JVNDBid:JVNDB-2017-014433
Trust: 0.8
db:CNNVDid:CNNVD-201905-079
Trust: 0.7
db:VULHUBid:VHN-109490
Trust: 0.1
sources:
            
            
            VULHUB: VHN-109490 // 
            
            
            
            JVNDB: JVNDB-2017-014433 // 
            
            
            
            CNNVD: CNNVD-201905-079 // 
            
            
            
            NVD: CVE-2017-18374

REFERENCES
url:https://seclists.org/fulldisclosure/2017/jan/40
Trust: 2.5
url:http://www.zyxel.com/support/announcement_unauthenticated.shtml
Trust: 1.7
url:https://raw.githubusercontent.com/pedrib/poc/master/advisories/zyxel_trueonline.txt
Trust: 1.7
url:https://ssd-disclosure.com/index.php/archives/2910
Trust: 1.7
url:https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2017-18374
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-18374
Trust: 0.8
sources:
            
            
            VULHUB: VHN-109490 // 
            
            
            
            JVNDB: JVNDB-2017-014433 // 
            
            
            
            CNNVD: CNNVD-201905-079 // 
            
            
            
            NVD: CVE-2017-18374

SOURCES
db:VULHUBid:VHN-109490
db:JVNDBid:JVNDB-2017-014433
db:CNNVDid:CNNVD-201905-079
db:NVDid:CVE-2017-18374

LAST UPDATE DATE
2024-11-23T21:37:18.175000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-109490date:2019-05-03T00:00:00
db:JVNDBid:JVNDB-2017-014433date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-079date:2019-05-09T00:00:00
db:NVDid:CVE-2017-18374date:2024-11-21T03:19:57.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-109490date:2019-05-02T00:00:00
db:JVNDBid:JVNDB-2017-014433date:2019-05-23T00:00:00
db:CNNVDid:CNNVD-201905-079date:2019-05-02T00:00:00
db:NVDid:CVE-2017-18374date:2019-05-02T17:29:01.490