Details of VAR-202004-0373

ID

VAR-202004-0373

CVE

CVE-2020-10231

TITLE

plural TP-Link On the device NULL Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-003917

DESCRIPTION

TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference. plural TP-Link On the device NULL A vulnerability exists regarding pointer dereference.Service operation interruption (DoS) It may be put into a state. Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Author: Pietro Oliva CVE: CVE-2020-10231 Vendor: TP-LINK Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450 Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214, NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205, NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805, NC450 <= 1.5.0 build 181022 Description: The issue is located in the httpLoginRpm method of the ipcamera binary (handler method for /login.fcgi), where after successful login, there is no check for NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly after that, there is a call to strstr(user_agent_string, "Firefox") and if a User-Agent header is not specified by the client, httpGetEnv will return NULL, and a NULL pointer dereference occurs when calling strstr, with consequent crash of the ipcamera process. Impact: After the crash, the web interface on port 80 will not be available anymore. Exploitation: An attacker could exploit this issue by just sending a login request with valid credentials (such as admin or limited user), but without an user-agent HTTP header. Default credentials can be used to bypass the credentials requirement. Evidence: The disassembly of affected code from an NC200 camera is shown below: 0x0047dca0 lw a0, (user_arg) 0x0047dca4 lw a1, (password_arg) 0x0047dca8 lw t9, -sym.swUMMatchPassword(gp) 0x0047dcac nop 0x0047dcb0 jalr t9 0x0047dcb4 nop 0x0047dcb8 lw gp, (saved_gp) 0x0047dcbc sw v0, (auth_result) 0x0047dcc0 lw v0, (auth_result) 0x0047dcc4 nop 0x0047dcc8 bnez v0, 0x47de34 0x0047dccc nop 0x0047dcd0 sw zero, (arg_54h) 0x0047dcd4 lw a0, (environment) 0x0047dcd8 lw a1, -0x7fe4(gp) 0x0047dcdc nop 0x0047dce0 addiu a1, a1, -0x7cb0 ; "HTTP_USER_AGENT" 0x0047dce4 lw t9, -sym.httpGetEnv(gp) 0x0047dce8 nop 0x0047dcec jalr t9 0x0047dcf0 nop 0x0047dcf4 lw gp, (saved_gp) 0x0047dcf8 sw v0, (user_agent_ptr) 0x0047dcfc lw a0, (user_agent_ptr) ; <== This pointer could be NULL 0x0047dd00 lw a1, -0x7fe4(gp) 0x0047dd04 nop 0x0047dd08 addiu a1, a1, -0x7ca0 ; "Firefox" 0x0047dd0c lw t9, -sym.imp.strstr(gp) 0x0047dd10 nop 0x0047dd14 jalr t9 Disclosure timeline: 2nd December 2019 - Initial vulnerability report for NC200. 4th December 2019 - Vendor confirms vulnerablity but does not start fixing due to the product being end-of-life. 4th December 2019 - Notified vendor the vulnerability details will be public and it should be fixed. 6th December 2019 - Thanks for your opinion, we will discuss and write back to you. <silence> 7th February 2020 - Notified vendor issue exists on NC450 and possibly all models in between. Fixed a disclosure deadline in 30 days. 8th February 2020 - Vendor: We will check but please be patient. 18th February 2020 - We failed to reproduce the issue with the provided PoC. <trying to troubleshoot> 24th February 2020 - Reverse engineered all the firmware images on behalf of the vendor and notified they were all vulnerable. 2nd March 2020 - Vendor asks to check fixes for NC200. 2nd March 2020 - Confirmed fix. Asked the vendor to do the same on all cameras. 3rd March 2020 - Vendor will check on other cameras, but will take some time. 3rd March 2020 - Asked the vendor to be quick. 9th March 2020 - Notified CVE identifier to vendor, gave extra week to patch. 9th March 2020 - Vendor is testing fix on all models. 13th March 2020 - Vendor asks to confirm fixes. 13th March 2020 - Confirmed fixes and asked the vendor to publish updates. Disclosure delayed one week to give some time to patch if the vendor published firmware updates. 29th March 2020 - No updates have been made public by the vendor. Releasing details to the public after almost 4 months from initial notification

Trust: 1.71

sources: NVD: CVE-2020-10231 // JVNDB: JVNDB-2020-003917 // PACKETSTORM: 157048

AFFECTED PRODUCTS

vendor:	tp link	model:	nc220	scope:	eq	version:	1.1.14	Trust: 1.0
vendor:	tp link	model:	nc200	scope:	eq	version:	2.1.8	Trust: 1.0
vendor:	tp link	model:	nc220	scope:	eq	version:	1.3.0	Trust: 1.0
vendor:	tp link	model:	nc450	scope:	eq	version:	1.1.1	Trust: 1.0
vendor:	tp link	model:	nc260	scope:	eq	version:	1.0.6	Trust: 1.0
vendor:	tp link	model:	nc260	scope:	eq	version:	1.0.5	Trust: 1.0
vendor:	tp link	model:	nc220	scope:	eq	version:	1.2.0	Trust: 1.0
vendor:	tp link	model:	nc210	scope:	eq	version:	1.0.9	Trust: 1.0
vendor:	tp link	model:	nc250	scope:	eq	version:	1.3.0	Trust: 1.0
vendor:	tp link	model:	nc450	scope:	eq	version:	1.5.0	Trust: 1.0
vendor:	tp link	model:	nc200	scope:	eq	version:	2.1.6	Trust: 1.0
vendor:	tp link	model:	nc450	scope:	eq	version:	1.1.2	Trust: 1.0
vendor:	tp link	model:	nc220	scope:	eq	version:	1.1.12	Trust: 1.0
vendor:	tp link	model:	nc450	scope:	eq	version:	1.1.6	Trust: 1.0
vendor:	tp link	model:	nc260	scope:	eq	version:	1.5.1	Trust: 1.0
vendor:	tp link	model:	nc200	scope:	eq	version:	2.1.7	Trust: 1.0
vendor:	tp link	model:	nc230	scope:	eq	version:	1.3.0	Trust: 1.0
vendor:	tp link	model:	nc200	scope:	eq	version:	2.1.8_build_171109	Trust: 0.8
vendor:	tp link	model:	nc210	scope:	eq	version:	1.0.9_build_171214	Trust: 0.8
vendor:	tp link	model:	nc220	scope:	eq	version:	1.3.0_build_180105	Trust: 0.8
vendor:	tp link	model:	nc230	scope:	eq	version:	1.3.0_build_171205	Trust: 0.8
vendor:	tp link	model:	nc250	scope:	eq	version:	1.3.0_build_171205	Trust: 0.8
vendor:	tp link	model:	nc260	scope:	eq	version:	1.3.0_build_171205	Trust: 0.8
vendor:	tp link	model:	nc450	scope:	eq	version:	1.5.0_build_181022	Trust: 0.8

sources: JVNDB: JVNDB-2020-003917 // NVD: CVE-2020-10231

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-10231
value:	HIGH
Trust: 1.0
NVD:	JVNDB-2020-003917
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202004-013
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-10231
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-003917
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

nvd@nist.gov:	CVE-2020-10231
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	JVNDB-2020-003917
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-003917 // CNNVD: CNNVD-202004-013 // NVD: CVE-2020-10231

PROBLEMTYPE DATA

problemtype:

CWE-476

Trust: 1.8

sources: JVNDB: JVNDB-2020-003917 // NVD: CVE-2020-10231

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 157048 // CNNVD: CNNVD-202004-013

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202004-013

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-003917

PATCH

title:	Top Page	url:	https://www.tp-link.com.cn/	Trust: 0.8
title:	Multiple TP-Link Product code issue vulnerability fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117071	Trust: 0.6

sources: JVNDB: JVNDB-2020-003917 // CNNVD: CNNVD-202004-013

EXTERNAL IDS

db:	PACKETSTORM	id:	157048	Trust: 2.5
db:	NVD	id:	CVE-2020-10231	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-003917	Trust: 0.8
db:	CNNVD	id:	CNNVD-202004-013	Trust: 0.6

sources: JVNDB: JVNDB-2020-003917 // PACKETSTORM: 157048 // CNNVD: CNNVD-202004-013 // NVD: CVE-2020-10231

REFERENCES

url:	http://packetstormsecurity.com/files/157048/tp-link-cloud-cameras-ncxxx-remote-null-pointer-dereference.html	Trust: 3.0
url:	http://seclists.org/fulldisclosure/2020/mar/54	Trust: 1.6
url:	http://seclists.org/fulldisclosure/2020/apr/5	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-10231	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10231	Trust: 0.8

sources: JVNDB: JVNDB-2020-003917 // PACKETSTORM: 157048 // CNNVD: CNNVD-202004-013 // NVD: CVE-2020-10231

CREDITS

Pietro Oliva

Trust: 0.1

sources: PACKETSTORM: 157048

SOURCES

db:	JVNDB	id:	JVNDB-2020-003917
db:	PACKETSTORM	id:	157048
db:	CNNVD	id:	CNNVD-202004-013
db:	NVD	id:	CVE-2020-10231

LAST UPDATE DATE

2024-11-23T22:29:40.451000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2020-003917	date:	2020-04-30T00:00:00
db:	CNNVD	id:	CNNVD-202004-013	date:	2022-07-01T00:00:00
db:	NVD	id:	CVE-2020-10231	date:	2024-11-21T04:55:00.940

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2020-003917	date:	2020-04-30T00:00:00
db:	PACKETSTORM	id:	157048	date:	2020-04-01T15:24:43
db:	CNNVD	id:	CNNVD-202004-013	date:	2020-04-01T00:00:00
db:	NVD	id:	CVE-2020-10231	date:	2020-04-01T14:15:14.727