Details of VAR-202309-0477

ID

VAR-202309-0477

CVE

CVE-2023-39236

TITLE

ASUS RT-AC86U command injection vulnerability (CNVD-2023-70091)

Trust: 0.6

sources: CNVD: CNVD-2023-70091

DESCRIPTION

ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. RT-AC86U is a router launched by ASUS with a wireless speed of 2900M, an external antenna, and a WAN access port with a Gigabit network port. RT-AC86U integrates ASUS AiProtection, which is equipped with the enterprise-level network security system of Trend Micro smart home network. AiProtection will provide protection even if the connected device itself does not have anti-virus function. ASUS RT-AC86U has a command injection vulnerability in version 3.0.0.4.386.51529

Trust: 1.53

sources: NVD: CVE-2023-39236 // CNVD: CNVD-2023-70091 // VULMON: CVE-2023-39236

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-70091

AFFECTED PRODUCTS

vendor:	asus	model:	rt-ac86u	scope:	eq	version:	3.0.0.4_386_51529	Trust: 1.0
vendor:	asus	model:	rt-ac86u	scope:	eq	version:	3.0.0.4.386.51529	Trust: 0.6

sources: CNVD: CNVD-2023-70091 // NVD: CVE-2023-39236

CVSS

SEVERITY

CVSSV2

CVSSV3

twcert@cert.org.tw:	CVE-2023-39236
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2023-70091
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-70091
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

twcert@cert.org.tw:	CVE-2023-39236
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2023-70091 // NVD: CVE-2023-39236

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2023-39236

PATCH

title:

Patch for ASUS RT-AC86U command injection vulnerability (CNVD-2023-70091)

url:

https://www.cnvd.org.cn/patchInfo/show/462561

Trust: 0.6

sources: CNVD: CNVD-2023-70091

EXTERNAL IDS

db:	NVD	id:	CVE-2023-39236	Trust: 1.7
db:	CNVD	id:	CNVD-2023-70091	Trust: 0.6
db:	VULMON	id:	CVE-2023-39236	Trust: 0.1

sources: CNVD: CNVD-2023-70091 // VULMON: CVE-2023-39236 // NVD: CVE-2023-39236

REFERENCES

url:	https://www.twcert.org.tw/tw/cp-132-7351-ec8fe-1.html	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2023-39236	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2023-70091 // VULMON: CVE-2023-39236 // NVD: CVE-2023-39236

SOURCES

db:	CNVD	id:	CNVD-2023-70091
db:	VULMON	id:	CVE-2023-39236
db:	NVD	id:	CVE-2023-39236

LAST UPDATE DATE

2024-08-14T14:30:17.822000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-70091	date:	2023-09-18T00:00:00
db:	VULMON	id:	CVE-2023-39236	date:	2023-09-07T00:00:00
db:	NVD	id:	CVE-2023-39236	date:	2023-09-12T20:46:29.193

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-70091	date:	2023-09-14T00:00:00
db:	VULMON	id:	CVE-2023-39236	date:	2023-09-07T00:00:00
db:	NVD	id:	CVE-2023-39236	date:	2023-09-07T07:15:08.440