Details of VAR-202312-0659

ID

VAR-202312-0659

CVE

CVE-2023-43454

TITLE

TOTOLINK of x6000r Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-018491

DESCRIPTION

An issue in TOTOLINK X6000R V9.4.0cu.652_B20230116 and V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the hostName parameter of the switchOpMode component. TOTOLINK of x6000r Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK X6000R is a wireless router made by China Zeon Electronics (TOTOLINK) Company. TOTOLINK X6000R has a command execution vulnerability. The vulnerability stems from the failure of the hostName parameter of the switchOpMode component to correctly filter special characters, commands, etc. in the constructed command. An attacker could exploit this vulnerability to cause arbitrary command execution

Trust: 2.16

sources: NVD: CVE-2023-43454 // JVNDB: JVNDB-2023-018491 // CNVD: CNVD-2023-99449

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2023-99449

AFFECTED PRODUCTS

vendor:	totolink	model:	x6000r	scope:	eq	version:	9.4.0cu.652_b20230116	Trust: 1.0
vendor:	totolink	model:	x6000r	scope:	eq	version:	9.4.0cu.852_b20230719	Trust: 1.0
vendor:	totolink	model:	x6000r	scope:	eq	version:	x6000r firmware 9.4.0cu.852 b20230719	Trust: 0.8
vendor:	totolink	model:	x6000r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	x6000r	scope:	eq	version:	x6000r firmware 9.4.0cu.652 b20230116	Trust: 0.8
vendor:	totolink	model:	x6000r	scope:	-	version:	-	Trust: 0.8
vendor:	zeon	model:	x6000r v9.4.0cu.852 b20230719	scope:	-	version:	-	Trust: 0.6
vendor:	zeon	model:	x6000r v9.4.0cu.652 b20230116	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2023-99449 // JVNDB: JVNDB-2023-018491 // NVD: CVE-2023-43454

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-43454
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2023-43454
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2023-99449
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2023-99449
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-43454
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-43454
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2023-99449 // JVNDB: JVNDB-2023-018491 // NVD: CVE-2023-43454

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-018491 // NVD: CVE-2023-43454

PATCH

title:

Patch for TOTOLINK X6000R hostName parameter command execution vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/500426

Trust: 0.6

sources: CNVD: CNVD-2023-99449

EXTERNAL IDS

db:	NVD	id:	CVE-2023-43454	Trust: 3.2
db:	JVNDB	id:	JVNDB-2023-018491	Trust: 0.8
db:	CNVD	id:	CNVD-2023-99449	Trust: 0.6

sources: CNVD: CNVD-2023-99449 // JVNDB: JVNDB-2023-018491 // NVD: CVE-2023-43454

REFERENCES

url:	https://github.com/tharsis1024/vuln/blob/main/totolink/x6000r/1.md	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2023-43454	Trust: 0.8

sources: CNVD: CNVD-2023-99449 // JVNDB: JVNDB-2023-018491 // NVD: CVE-2023-43454

SOURCES

db:	CNVD	id:	CNVD-2023-99449
db:	JVNDB	id:	JVNDB-2023-018491
db:	NVD	id:	CVE-2023-43454

LAST UPDATE DATE

2024-08-14T15:41:28.027000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2023-99449	date:	2023-12-21T00:00:00
db:	JVNDB	id:	JVNDB-2023-018491	date:	2024-01-11T06:11:00
db:	NVD	id:	CVE-2023-43454	date:	2023-12-06T18:37:12.260

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2023-99449	date:	2023-12-13T00:00:00
db:	JVNDB	id:	JVNDB-2023-018491	date:	2024-01-11T00:00:00
db:	NVD	id:	CVE-2023-43454	date:	2023-12-01T02:15:07.320