Details of VAR-201908-0562

ID

VAR-201908-0562

CVE

CVE-2019-13268

TITLE

TP-Link Archer C3200 and Archer C2 Input Validation Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2019-31309 // CNNVD: CNNVD-201908-2080

DESCRIPTION

TP-Link Archer C3200 V1 and Archer C2 V1 devices have Insufficient Compartmentalization between a host network and a guest network that are established by the same device. They forward ARP requests, which are sent as broadcast packets, between the host and the guest networks. To use this leakage as a direct covert channel, the sender can trivially issue an ARP request to an arbitrary computer on the network. (In general, some routers restrict ARP forwarding only to requests destined for the network's subnet mask, but these routers did not restrict this traffic in any way. Depending on this factor, one must use either the lower 8 bits of the IP address, or the entire 32 bits, as the data payload.). The TP-Link Archer C3200 and Archer C2 are both wireless routers from China's TP-Link. The vulnerability stems from the fact that the program does not fully isolate the host network and guest network on the same device

Trust: 2.25

sources: NVD: CVE-2019-13268 // JVNDB: JVNDB-2019-008821 // CNVD: CNVD-2019-31309 // VULHUB: VHN-145097

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-31309

AFFECTED PRODUCTS

vendor:	tp link	model:	archer c2 v1	scope:	eq	version:	-	Trust: 1.0
vendor:	tp link	model:	archer c3200 v1	scope:	eq	version:	-	Trust: 1.0
vendor:	tp link	model:	archer c2	scope:	-	version:	-	Trust: 0.8
vendor:	tp link	model:	archer c3200	scope:	-	version:	-	Trust: 0.8
vendor:	tp link	model:	archer c3200	scope:	eq	version:	v1	Trust: 0.6
vendor:	tp link	model:	archer c2	scope:	eq	version:	v1	Trust: 0.6

sources: CNVD: CNVD-2019-31309 // JVNDB: JVNDB-2019-008821 // NVD: CVE-2019-13268

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-13268
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-13268
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-31309
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201908-2080
value:	HIGH
Trust: 0.6
VULHUB:	VHN-145097
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-13268
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-31309
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-145097
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-13268
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-31309 // VULHUB: VHN-145097 // JVNDB: JVNDB-2019-008821 // CNNVD: CNNVD-201908-2080 // NVD: CVE-2019-13268

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-145097 // JVNDB: JVNDB-2019-008821 // NVD: CVE-2019-13268

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201908-2080

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201908-2080

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-008821

PATCH

title:	Archer C2	url:	https://www.tp-link.com/us/home-networking/wifi-router/archer-c2/	Trust: 0.8
title:	Archer C3200	url:	https://www.tp-link.com/us/home-networking/wifi-router/archer-c3200/	Trust: 0.8

sources: JVNDB: JVNDB-2019-008821

EXTERNAL IDS

db:	NVD	id:	CVE-2019-13268	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-008821	Trust: 0.8
db:	CNNVD	id:	CNNVD-201908-2080	Trust: 0.7
db:	CNVD	id:	CNVD-2019-31309	Trust: 0.6
db:	VULHUB	id:	VHN-145097	Trust: 0.1

sources: CNVD: CNVD-2019-31309 // VULHUB: VHN-145097 // JVNDB: JVNDB-2019-008821 // CNNVD: CNNVD-201908-2080 // NVD: CVE-2019-13268

REFERENCES

url:	https://www.usenix.org/system/files/woot19-paper_ovadia.pdf	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2019-13268	Trust: 2.0
url:	https://orenlab.sise.bgu.ac.il/publications/crossrouter	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-13268	Trust: 0.8

sources: CNVD: CNVD-2019-31309 // VULHUB: VHN-145097 // JVNDB: JVNDB-2019-008821 // CNNVD: CNNVD-201908-2080 // NVD: CVE-2019-13268

SOURCES

db:	CNVD	id:	CNVD-2019-31309
db:	VULHUB	id:	VHN-145097
db:	JVNDB	id:	JVNDB-2019-008821
db:	CNNVD	id:	CNNVD-201908-2080
db:	NVD	id:	CVE-2019-13268

LAST UPDATE DATE

2024-11-23T21:36:58.157000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-31309	date:	2019-09-12T00:00:00
db:	VULHUB	id:	VHN-145097	date:	2019-09-04T00:00:00
db:	JVNDB	id:	JVNDB-2019-008821	date:	2019-09-06T00:00:00
db:	CNNVD	id:	CNNVD-201908-2080	date:	2019-09-05T00:00:00
db:	NVD	id:	CVE-2019-13268	date:	2024-11-21T04:24:35.190

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-31309	date:	2019-09-11T00:00:00
db:	VULHUB	id:	VHN-145097	date:	2019-08-27T00:00:00
db:	JVNDB	id:	JVNDB-2019-008821	date:	2019-09-06T00:00:00
db:	CNNVD	id:	CNNVD-201908-2080	date:	2019-08-27T00:00:00
db:	NVD	id:	CVE-2019-13268	date:	2019-08-27T18:15:10.950