Details of VAR-201910-1414

ID

VAR-201910-1414

CVE

CVE-2016-11014

TITLE

NETGEAR JNR1010 Session expiration vulnerability on devices

Trust: 0.8

sources: JVNDB: JVNDB-2016-009566

DESCRIPTION

NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. NETGEAR JNR1010 The device contains a session expiration vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. NETGEAR JNR1010 is a wireless router from NETGEAR. NETGEAR JNR1010 versions prior to 1.0.0.32 had an access control error vulnerability that originated from a network system or product that did not properly restrict access to resources from unauthorized roles. No detailed vulnerability details are provided at this time. Hi, Can you assign CVE id to this flaw? Details ================ #Product Vendor: Netgear #Netgear GPL: http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl) http://www.gnu.org/licenses/gpl.txt #Bug Name: Broken Authentication & Improper Session Management in Netgear Router JNR1010 Version 1.0.0.24 #Software: Netgear Router JNR1010 Firmware #Version: 1.0.0.24 #Last Updated: 10-06-2015 <http://kb.netgear.com/app/answers/detail/a_id/29270/~/jnr1010-firmware-version-1.0.0.24> #Homepage: http://netgear.com/ #Severity High #Status: Fixed <http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32> #CVE : not assigned #POC Video URL: https://www.youtube.com/watch?v=vd7Ffy0edYg Description ================ Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Technical Details ================ *Authentication Bypass:* Try Accessing the URL which the normal user have no longer access without credentials with auth token value as* “ok” *and HTTP Basic Authentication header with password value *Improper Session Management:* Create a fake Session ID and submit the request to the server with the credentials. Whereas, you can see that the session id has no change even after getting logged in and during logout process. For more, also refer - https://github.com/cybersecurityworks/Disclosed/issues/14 Fix ================ Regenerate the session-id of the end user during login and logout process. Invalidate all the initialized session variables during logout process. Check for unauthenticated access to all the pages inside login. Remove Basic HTTP Authentication and Implement any other authentication technique. Advisory Timeline ================ 28/10/2015 - Discovered in Netgear Router JNR1010 Firmware Version 1.0.0.24 28/10//2015 - Reported to vendor through support option but, no response 30/10//2015 - Reported to vendor through another support option available here <http://support.netgear.com/for_home/default.aspx>. But, again no response. 03/11/2015 - Finally, Technical Team started addressing about the issue after so many follow ups through phone/mail. 13/12/2015 - Vulnerability got fixed & case was closed. 30/12/2015 - Netgear Released updated version 1.0.0.32 <http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32> Credits & Authors ================ Sathish Kumar <sathish@cybersecurityworks.com> from cybersecurityworks Pvt Ltd <http://www.cybersecurityworks.com> About Cybersecurityworks ================ Cybersecurity Works is basically an auditing company passionate working on findings & reporting security flaws & vulnerabilities on web application and network. As professionals, we handle each client differently based on their unique requirements. Visit our website <http://www.cybersecurityworks.com> for more information. -- ---------- Cheers !!! Team CSW Research Lab <http://www.cybersecurityworks.com>

Trust: 2.25

sources: NVD: CVE-2016-11014 // JVNDB: JVNDB-2016-009566 // CNVD: CNVD-2019-36471 // PACKETSTORM: 135216

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-36471

AFFECTED PRODUCTS

vendor:	netgear	model:	jnr1010	scope:	lt	version:	1.0.0.32	Trust: 1.6
vendor:	net gear	model:	jnr1010	scope:	lt	version:	1.0.0.32	Trust: 0.8

sources: CNVD: CNVD-2019-36471 // JVNDB: JVNDB-2016-009566 // NVD: CVE-2016-11014

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-11014
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-11014
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2019-36471
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201910-1171
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2016-11014
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-36471
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2016-11014
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2016-11014
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-36471 // JVNDB: JVNDB-2016-009566 // CNNVD: CNNVD-201910-1171 // NVD: CVE-2016-11014

PROBLEMTYPE DATA

problemtype:

CWE-613

Trust: 1.8

sources: JVNDB: JVNDB-2016-009566 // NVD: CVE-2016-11014

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1171

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201910-1171

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-009566

PATCH

title:	JNR1010 - N150 4 Port Wireless Router	url:	https://www.netgear.com/support/product/JNR1010.aspx	Trust: 0.8
title:	Patch for NETGEAR JNR1010 Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/186191	Trust: 0.6

sources: CNVD: CNVD-2019-36471 // JVNDB: JVNDB-2016-009566

EXTERNAL IDS

db:	NVD	id:	CVE-2016-11014	Trust: 3.0
db:	PACKETSTORM	id:	135216	Trust: 2.3
db:	JVNDB	id:	JVNDB-2016-009566	Trust: 0.8
db:	CNVD	id:	CNVD-2019-36471	Trust: 0.6
db:	CNNVD	id:	CNNVD-201910-1171	Trust: 0.6

sources: CNVD: CNVD-2019-36471 // JVNDB: JVNDB-2016-009566 // PACKETSTORM: 135216 // CNNVD: CNNVD-201910-1171 // NVD: CVE-2016-11014

REFERENCES

url:	https://lists.openwall.net/full-disclosure/2016/01/11/5	Trust: 3.0
url:	https://github.com/cybersecurityworks/disclosed/issues/14	Trust: 2.3
url:	https://khalil-shreateh.com/khalil.shtml/it-highlights/593-netgear-1.0.0.24-bypass---improper-session-management--.html	Trust: 2.2
url:	https://packetstormsecurity.com/files/135216/netgear-1.0.0.24-bypass-improper-session-management.html	Trust: 2.2
url:	https://cybersecurityworks.com/zerodays/cve-2016-11014-netgear.html	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-11014	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-11014	Trust: 0.8
url:	https://www.youtube.com/watch?v=vd7ffy0edyg	Trust: 0.1
url:	http://www.cybersecurityworks.com>	Trust: 0.1
url:	http://netgear.com/	Trust: 0.1
url:	http://kb.netgear.com/app/answers/detail/a_id/2649/~/netgear-open-source-code-for-programmers-(gpl)	Trust: 0.1
url:	http://kb.netgear.com/app/answers/detail/a_id/29270/~/jnr1010-firmware-version-1.0.0.24>	Trust: 0.1
url:	http://kb.netgear.com/app/answers/detail/a_id/30177/~/jnr1010-firmware-version-1.0.0.32>	Trust: 0.1
url:	http://support.netgear.com/for_home/default.aspx>.	Trust: 0.1
url:	http://www.gnu.org/licenses/gpl.txt	Trust: 0.1

sources: CNVD: CNVD-2019-36471 // JVNDB: JVNDB-2016-009566 // PACKETSTORM: 135216 // CNNVD: CNNVD-201910-1171 // NVD: CVE-2016-11014

CREDITS

CSW Research Lab, Sathish Kumar

Trust: 0.1

sources: PACKETSTORM: 135216

SOURCES

db:	CNVD	id:	CNVD-2019-36471
db:	JVNDB	id:	JVNDB-2016-009566
db:	PACKETSTORM	id:	135216
db:	CNNVD	id:	CNNVD-201910-1171
db:	NVD	id:	CVE-2016-11014

LAST UPDATE DATE

2024-11-23T22:37:37.064000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-36471	date:	2019-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2016-009566	date:	2019-10-28T00:00:00
db:	CNNVD	id:	CNNVD-201910-1171	date:	2020-10-30T00:00:00
db:	NVD	id:	CVE-2016-11014	date:	2024-11-21T02:45:18.207

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-36471	date:	2019-10-22T00:00:00
db:	JVNDB	id:	JVNDB-2016-009566	date:	2019-10-28T00:00:00
db:	PACKETSTORM	id:	135216	date:	2016-01-11T17:06:04
db:	CNNVD	id:	CNNVD-201910-1171	date:	2019-10-16T00:00:00
db:	NVD	id:	CVE-2016-11014	date:	2019-10-16T11:15:13.380